Bug Bounty Programs: The Low-Down
The global software industry is massive. Enterprise software alone is predicted to be worth $500 billion a year by 2022. Unless we live entirely off-grid, every part of our lives and work is touched by software.
And like taxes and death, one thing you can be sure of is that software contains bugs. The commercial life cycle for software is such that you need to get software out to market quickly. First-come is first-served in an industry where innovation turns on the head of a needle.
Fast-to-market software means that the industry has had to develop new ways to speed up the development cycle. Agile development techniques and the use of automation in the test part of the development cycle have helped to speed up the time to market. But software bugs seem to never end: You fix one, only to introduce another. If you check out CVE Details data source, which lists the number of recorded software vulnerabilities going back to 1999, you can see that the number of software bugs per year keeps on growing. In 2017, there were 14,714 recorded bugs. To mid-November 2018, this number was 14,917.
Keeping up with testing software is a big job. Even production releases of software have bugs in them — as anyone running operating system software will attest. Microsoft Windows and Mac OS, for example, have regular software updates which are pushed out to anyone running a device with those operating systems installed. Microsoft’s “Patch Tuesday” has even entered the common language of computer users across the world. And while bugs come in all shapes and sizes, some of the most impactful are the security bugs.
It is to this end that the idea of using a bug bounty program to help to test software has become an industry standard. This method helps to help locate those pesky security flaws that slip through the tester’s net.
What Are Bug Bounty Programs?
An engineer at Netscape, Jarrett Ridlinghafer, was the person who originally came up with the idea of a bug bounty program. The idea he proposed was to pay users across the wider user community a reward for finding security flaws in software products. It’s a simple idea, but one that would be used by all of the world’s top software companies.
A bug bounty program works something like this:
- The company will announce that they are running a bug bounty program.
- The bug bounty program will center around a software product(s) which are the “scope” of the program.
- The program may set out exclusions to the program — you won’t be rewarded for finding bugs outside of the scope.
- Certain types of software vulnerabilities will be identified as reward-worthy; for example, the company may want you to concentrate on finding authentication flaws.
- The financial rewards will (usually) be presented up front and may vary according to vulnerability type found.
- Other rules of the program will be set out.
- The method of reporting the software flaws will be explained — the hacker must follow this protocol when reporting to avoid being disqualified.
- If you meet the criteria, you are paid a financial reward.
What Are Some Examples of Companies Who Pay You to Find Security Bugs?
Some organizations will run ongoing bug bounty programs, whereas others run them on an ad hoc basis. Examples of bug bounty programs include:
Hack the Pentagon: This was a three-year white/gray-hat hacking initiative, starting in 2016 and run by HackerOne. It was set up to find software vulnerabilities in the Defense Department’s public facing websites. So far, $75,000 has been paid out in rewards.
Facebook Whitehat: The Facebook bug bounty program was started in 2011 to find vulnerabilities across the social platform. It offers a minimum reward of $500; the largest reward to date was $20,000, with over $1 million paid out so far.
Google Vulnerability Reward Program (VRP): Google set up their bug bounty program in 2010. It is an ongoing program that has varying rewards, dependent on the type and location of the vulnerability found. Rewards range from $100 to $31,337.
Stellar Bug Bounty Program: Stellar is a decentralized protocol built for financial transactions. Stellar is based on a digital currency called a “Lumen.” Hackers are paid with Lumens when they find a vulnerability in the Stellar code or any of their repos. Stellar uses OWASP’s risk rating table to determine the severity of the bug found which translates to the number of points the hacker receives. This varies from 500 to 25,000 (paid in Lumens).
Microsoft Bug Bounty: Microsoft runs a number of bug bounty programs across their suite of products. These change over time as new products and releases come out. Microsoft has some of the best-paid bug bounty rewards on the bug bounty circuit — amounts offered can be up to $250,000 for a novel exploit. For a reward like this, you do have to put the work in, creating whitepapers on the exploit and being able to demonstrate the innovative novelty of a flaw.
The Black, Gray and White Hats of Responsible Disclosure
The types of people who take part in bug bounty programs are as varied as the bugs themselves. These folks who find software vulnerabilities and disclose them to the vendor directly are known as “white-hat hackers”. Bu, it isn’t only white-hat hackers that look for vulnerabilities in new releases and software products. The white-hat’s evil twin, the black-hat hacker, is also on the lookout for vulnerabilities to exploit. These vulnerabilities will be sold to the highest bidder, usually other criminals. In the case of the (supposedly) less-evil middle twin, the gray-hat hacker, these vulnerabilities are sold to state actors, such as governments.
In a bug bounty program, the idea of responsible disclosure is encouraged. This is a set of rules of engagement which set out how the white hat hacker should act when they are looking for and find, a security flaw. HackerOne, for example, sets out rules that cover respect, privacy and patience on the part of the hacker. They also have guidelines for security teams on the receiving end of bug finds. These rules include respect for finders and preservation of privacy. There is also a rule which expressly states:
“Do no harm. Not take unreasonable punitive actions against finders, like making legal threats or referring matters to law enforcement.”
This creates a safe place for white hat hackers to do their important work.
A Lily-White Approach to Software Vulnerabilities
Without the sterling work of the white-hat hacker, our software would be less safe. The white-hat hacker provides a valuable role in modern software development. Without their input, it is unlikely that the large number of software vulnerabilities could be managed well. The financial incentive for the white hats is well worth the outlay and allows organizations who use the hacker community in this way to benefit from the collective mind of experienced security professionals.
Want to read more? Check out some of our other articles, such as:
How to Become Your Own Security Champion
Top 10 Security Tools for Bug Bounty Hunters
What Happens Once a Penetration Test Uncovers Vulnerabilities?
- Global Enterprise Software Market (By Segment, Industry Verticals, Geography and Vendors) and Forecast to 2022, Orbis Research
- Browse CVE vulnerabilities by date, CVE Details
- Hack the Pentagon, HackerOne
- Whitehat, Facebook
- Google Vulnerability Reward Program Rules, Google
- Bug Bounty Program, Stellar
- OWASP Risk Rating Methodology, OWASP
- Vulnerability Disclosure Guidelines, Hacker One