If you’ve got some hacker powers and you want to use them a good cause while making a bit of extra cash, you could take a look at a bug bounty program. Whilst in the past, bug bounties may have been seen as controversial, they are now becoming increasingly mainstream. Crowdsourcing penetration testing is a great tool in this time of transparency—pitching an army of individuals who care about the greater good of our world against those with criminal tendencies. You don’t have to be evil to be a threat hunter.
The benefits of a bug bounty program
If you work for an organization (and you don’t need to be primarily a software provider; every organization is a technology organization after all) that doesn’t offer a bug bounty program you should consider the benefits: the reputational damage associated with a breach is huge. It’s not so much that you had a breach but how you respond to it that really determines the outcome. Having a bug bounty program shows that your security posture is strong. In all likelihood, you’ve got most of this covered but you may still be open to help too and grateful for it.
Also, most organizations are constrained by the number of cybersecurity professionals they can hire—there is a well-publicized global cybersecurity skills gap. Bug bounties give organizations access to a global pool of skills that will have different ideas and are likely to find things you don’t. As ABN Amro put it:
“Our CISO team is committed to protecting our customers. As part of this commitment, we invite security researchers to help protect ABN AMRO and its users by proactively identifying security vulnerabilities via our bug bounty program. We work hard every day to maintain and improve our systems and processes so that our customers can bank safely online at all times. However, should you find a weakness in one of our IT systems, we would appreciate your help.”
You can find lists of bug bounty programs available on HackerOne, BugCrowd, Hacks.ICU and VulnerabilityLab. Most organizations will provide guidance regarding what they are asking people to look for, for example:
- Cross-site scripting vulnerabilities
- SQL injection vulnerabilities
- Encryption weaknesses
- Remote code execution
- API vulnerabilities
- Authentication bypass, unauthorized data access
- XML external entity
- S3 bucket upload
- Server-side request forgery
Minimum bounties vary from $50 to $200 and payouts can be huge: Google recently upped the maximum bounty for a Chrome bug to $30,000 and are offering $1.5M for anyone who can hack the Titan M chip on its Android devices. As Casey Ellis, founder and CTO of Bugcrowd, put it:
“The skills needed to find these types of vulnerabilities in Google devices are rare and often tied up in the offensive market. By upping the incentive to hackers, Google is making bug hunting for them more attractive, especially to those that might teeter the line between whitehat and blackhat."
Bug bounties: worth the cost
That’s all very well, but do these bug bounty programs actually payout? Cynics amongst us could cite these numbers as marketing hype. According to HackerOne’s 2019 Hacker Report, in 2018 digital bounty hunters earned over $42 million in bounties. They add:
“This past year we saw incredible individual performances such as hackers earning $100K for one vulnerability and the first hacker (19 year old Santiago Lopez) passing the $1 million milestone.”
British hacker, Mark Litchfield has also exceeded the $1 million milestone. There are reports of large individual payouts, as well as those paid out to teams and via live hacking events. And it doesn’t have to be cash you hand out; United Airlines awarded a Dutch 19-year-old, Oliver Beg, multiple miles awards—one for 250,000 miles. Several others, including American Jordan Wiens, have received the top, million miles prize for a single bug. Not only is there serious money, rewards and swag at stake, hackers also receive recognition for their efforts; BMW lists their contributors and says:
“The BMW Group wishes to thank and acknowledge the security experts who are the first to identify vulnerabilities. Thanks to their support and the countermeasures developed by us, we continue to enhance the security of our products and services.”
If you’re planning your own bug bounty program and wondering how to finance it, you may want to take advice from bug bounty veterans such as Sky Betting and Gaming:
“It’s easy to get tempted into starting a large public bounty programme, but I would strongly advise you to start small and scale slow—try testing the waters with an internal/private bug bounty programme, or a fixed PoC/pilot with a set bounty pot and a small number of hand-picked hackers. It’s also vital to have a dedicated budget agreed and put aside, with the ability to quickly clear funds. Since no pot of money is infinite, it’s important also to limit your exposure somehow and maintain control over likely expenditure.
It may be a good idea, at least initially, to run for a defined trial period, or structure your programme around bursts, sprints or “seasons” so that you have an on-season and an off-season for bug hunting, giving you time in between to clear down vulnerability backlogs and get ready for the next onslaught.”
And if your finance people aren’t taking the bait, you could share with them this story from the US Department of Defense; Ash Carter, then the Secretary of Defense commented on the $150,000 payout following their bug bounty pilot, which ran from April 18 to May 12 2016 (less than a month), that netted 138 vulnerabilities:
"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million."
If the concept of bug bounty programs is new to you, but you know you want one, don’t panic, there are partners that can run your bug bounty program for you like HackerOne and BugCrowd.
Dark web TLS certificates: just another reason
Although not an official bug bounty program, Venafi has sponsored research that shines a light on the availability of SSL/TLS certificates on the dark web. The first of three reports from the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey details the preliminary findings of the research and outlines the volume of SSL/TLS certificates for sale on the dark web, including information on how they are packaged and sold to attackers. This information can be used to understand where weaknesses can be exploited to design a strong bug bounty program.
Check out this Chalk Talk for a refresher on how to eliminate blind spots in your SSL/TLS traffic.
Since SSL/TLS certificates which serve as machine identities can be used to eavesdrop on sensitive communications, spoof websites, trick consumers and steal data, it’s critical to ensure that only trusted and strong machine identities are used. Due to the risk of vulnerabilities caused by poor machine identity management, some organizations have paid bug bounties to help them identify them. Check out this one reported by Tomi Koski for Yelp where X.509 certificate validation failed on international vanity domains and paid out $300.
Lastly, let’s not forget about bug bounties for APIs. Since APIs act as machine identities that authenticate links between different systems, they enable people and programs to access sensitive data—and are therefore particularly worth protecting. Check out this blog post to learn more about how you might secure your APIs.