What Is Bug Bounty Program
A Bug Bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large number of organizations, including Mozilla, Facebook, Yahoo!, Google, Reddit, Square, Microsoft,and the Internet bug bounty.
Bugcrowd has a standard sign-up process and doesn’t require any proof of experience to become a researcher. You can choose to make your profile public (so people can see the kudos points you’ve accumulated and general stats about your involvement) or keep it private. Your page shows your rank, how many points you’ve accumulated, how many submissions you’ve made over time, and the accuracy of those submissions. It also displays the average severity of the vulnerabilities you’ve had rewarded, on a scale of low-moderate-high- critical.
Bugcrowd also maintains a system for classifying vulnerabilities, called the Vulnerability Rating Taxonomy, in an effort to further bolster transparency and communication, as well as to contribute valuable and actionable content to the bug bounty community. For researchers specifically, the company contends the VRT help[s] program participants save valuable time and effort in their quest to make bounty targets more secure, helping them identify which types of high-value bugs they have overlooked.
Astute researchers will often specialize their skillset to become proficient at detecting a handful of bugs. As you work through the exercises and think about which strategies you’d like to dedicate time to, resources such as the VRT can help you triangulate that perfect intersection of effort and reward.
Bugcrowd uses metrics about your behavior, pulled from the last 90 days, to determine which researchers to invite to private bounty programs. These private programs are opened to a limited set of researchers, who are given a window of time to in which find vulnerabilities. These private programs are great because they mean fewer researchers combing through a particular site, and therefore more chances for you to discover bugs.
The company also provides a useful service where, every time you log in, Sometimes program guidelines will ask you to create a testing account using this email so the participating company can monitor researchers, but regardless, they’re a great resource. Because it’s a Gmail service, you can also change the address if you need to spin up multiple accounts.
You can find a wide spectrum of businesses on Bugcrowd, covering every size and a variety of revenue models. The targets trend towards web applications, but there is also a smattering of mobile apps and the odd alternative listing.
HackerOne is a similar platform d it has its own point system (reputation) and also calculates a variety of metrics that it uses as the basis for its Leaderboard and for invitations to its own private programs. Like Bugcrowd, it also has a bug bounty policy for itself d if you find a vulnerability in one of its sites or apps, you’re entitled to a reward. Interestingly though, you might still be entitled to a reward even if you don’t discover a bug. From their site:
“HackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn’t find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy.”
This is an usual policy that still makes sense: providing a detailed list of everything that worked is its own audit of the company’s resources, even if it doesn’t cover any vulnerable areas. HackerOne and Bugcrowd both have a similar breadth of different companies, with different products, business models, and security needs. HackerOne does have a few notable companies that are exclusive to its platform, most notably Twitter, but generally the offerings are very similar.
Vulnerability lab is a submission-and-disclosure platform that uses a team of in-house experts to vet high-profile vulnerabilities, but also accepts submissions on less critical/lower-profile bugs. One of their site’s features actually involves receiving reports for critical vulnerabilities that a researcher might not want to submit directly and acting as a point of contact and third-party broker for the researcher with the affected company.
Like HackerOne, it publicly discloses bug reports after a window of time has elapsed, and is a useful reference for beginners looking to better understand the form of bug reports, and methods for discovering and reporting common vulnerabilities. Their public index of vulnerabilities is also tagged with the type of system each bug was found on, making it a nice resource when you’re trying to get a sense of application-specific problems.
BountyFactory, which touts itself as the first European bug bounty platform that relies on European rules and legislation, is run by the larger YesWeH4ck group, an Infosec recruiting company founded in 2013 that’s made up of a bug bounty platform, a job board (YesWeH4ck Jobs), a coordinated vulnerability-disclosure platform (ZeroDisclo), and an aggregation of all public bug bounty programs (FireBounty).
Like Bugcrowd and HackerOne, BountyFactory has a scoring system, leaderboard, and both public and private programs, for which it extends a limited number of invitations. Because of its European orientation, BountyFactory is great for finding companies, such as OVH, Orange, and Qwant, that aren’t on the popular, American-run alternatives. Many of its clients are straight out of the French start-up scene.
Synack relies on a completely different business model from all the other programs we’ve discussed. As a private program that prides itself on its quality and exclusivity, Synack requires more than just an email to become a researcher. The company asks for personal information, requests a video interview, initiates a background and ID check, and conducts a skills assessment to ensure their researchers are capable and responsible enough to audit programs where they might come into contact with sensitive data (one of Synack’s specialties). Fewer than 10% of applicants to their Red Team are accepted. And unlike the other programs, Synack doesn’t publish a leaderboard or any sort of researcher ranking publicly (though they do keep internal rankings as the basis for rewards and invitations to select campaigns).
Intermediaries such as Synack are great if you’re looking for more of the private program- type of engagements you’re already being invited to on Bugcrowd or HackerOne , where researchers receive exclusive, limited access to the target application. It’s also great if you need a quick payout time, or want access to the professional development materials the company only makes available to member researchers. The fact that Synack keeps its researchers’ identities secret is also a benefit, as d though adhering to the Rules of Engagement (ROE) is always important d it offers the researcher some protection from legal action by companies trying to discourage aggressive auditing, or who interpret their own RoE differently than you do.
In general, Synack is a good option if you’ve already cut your teeth on bug bounty marketplaces where the cost to join isn’t as high, and are looking to make a bigger commitment to security research. If you’re willing and able to get passed their screening process, working as part of their red team will secure you less-trafficked targets, exclusive engagements, and quicker payouts.
Company Sponsered Initiative
Company-sponsored programs are just what they sound like. It’s not just large mega-corps that have bounty programs surprising number of businesses have a process for rewarding security contributions. The size of each company can drastically effect the requirements and conditions for a reward: large companies pay top dollar for vulnerabilities, but the low-hanging fruit of those flaws will already have been picked; start-ups will have less mature applications, but probably a smaller application attack surface, assembled from a newer stack with fewer known vulnerabilities, and might want to pay for contributions in swag. Companies that are mature enough to suffer from technical debt, but also have a budget to pay rewards, are a nice fit. Sometimes, though, you’ll just have to poke around in different areas, taking your chances, to find your next vulnerability. Here are some examples of the programs offered by larger companies.
Google’s program is expansive, with detailed payout structures and specific instructions for classifying different types of bug. Most of the relevant information can be found on the rewards section of their Application Security page, but Google also curates a (small) set of pentesting tutorials, with specific attention paid to finding the types of bugs and submitting the kinds of reports about them that Google wants to receive.
The articles on Bughunter University and other Google resources have different levels of applicability d some of it is just Google’s preferences, requirements, and so on d but even the more idiosyncratic sections contain best practices and wisdom that can applied to other programs and engagements. Other companies might not agree completely with their common types of non-qualifying report, but there’ll still be substantial overlap, making it a useful guide regardless of the vendor.
In addition to the materials on Bughunter University, Google is responsible for creating and maintaining a lot of great instructional applications. We’ll be using one, Google Gruyere, as part of our chapter on XSS and you can find other great resources from Google in the other tools section at the end of the book.
Facebook has a bug bounty program with a minimum payout of $500, but as the very direct language in their responsible disclosure policy attests, they do not tolerate mucking about with production data: if you comply with the policies when reporting a security issue to Facebook, they will not initiate a lawsuit or law enforcement investigation against you in response to your report.
The amount of information available for their program is minimal. You’ll find a side-by- side example of a submission report and an improved version, with some non-qualifying vulnerabilities, but not much in the way of universal lessons or professional tips.
As the legalese signals, Facebook is very sensitive to misuse of its platform d especially given recent increased scrutiny. And because so many exploits will be aimed at affecting users, it’s critical to stop short of writing any code that could subvert an account.
Amazon has vulnerability programs for both its e-commerce and cloud services divisions. An important point is that Amazon requires you to register and ask for permission before conducting any sort of pentesting engagement. This is critical, and a key way the company differs from some of its competitors. Instead of an open-ended participation model where, as long as you abide by the rules of engagement, you can expect immunity, Amazon enforces a permissions-first model to better contain pentesting activity and differentiate White- and Black-Hat activity.
Amazon has a multitude of white papers, blog posts, and documentation on how security works within Amazon, but less material than Facebook or Google to help with penetration testing or bug bounty participation generally.
GitHub offers a bounty program that covers a wide array of its properties, including the API, enterprise app, and main rails site, with payouts ranging from $555 to $20,000 for most of those targets.
One neat feature of the GitHub program is that each participant who successfully submits a bounty receives a profile page that d in addition to showing the points they’ve accumulated, rank, and earned badges d lists their reported vulnerabilities with a short technical blurb about each one. Like the published submission reports on other platforms, any technical detail about a successfully-discovered vulnerability is an invaluable insight into winning strategies, both in general and for the site in question. And if you’re looking to parlay finding bugs into a larger career in security, profile pages such as the ones offered by GitHub, Bugcrowd, and HackerOne can be great bullet points on your resume.
Microsoft has a rewards program covering both its consumer-software-stable and web-app products, such as their cloud offering, Azure. The Microsoft Bounty Program site goes into detail about submission-report formatting, showing examples of both good and bad specimens, and has detailed, specific testing guidelines for every Microsoft property included. But there isn’t a deep reserve of learning material from a general pentesting perspective, and less in the way of community. Microsoft, like many other companies, has its own public leaderboard and ranking system.
Their blog is a good source for more general Infosec analysis. In one series, they provide an in-depth analysis, including source code examples, of Windows exploits used by the Shadow Brokers, the infamous hacking syndicate known to have leaked NSA hacking tools in the summer of 2016.