Jump to content

User:Buidhe paid/Bug bounty

From Wikipedia, the free encyclopedia

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation[1] for reporting bugs, especially those pertaining to security vulnerabilities.[2] If no financial reward is offered, it is called a vulnerability disclosure program.[3][4]

These programs, which can be considered a form of crowdsourced penetration testing,[5] grant permission for unaffiliated individuals—called bug bounty hunters,[6] white hats or ethical hackers[7]—to find and report vulnerabilities.[3] If the developers discover and patch bugs before the general public is aware of them, cyberattacks that might have exploited are no longer possible.[3]

Participants in bug bounty programs come from a variety of countries, and although a primary motivation is monetary reward, there are a variety of other motivations for participating. Hackers could earn much more money for selling undisclosed zero-day vulnerabilities to brokers, spyware companies, or government agencies instead of the software vendor. If they search for vulnerabilities outside the scope of bug bounty programs, they might find themselves facing legal threats under cybercrime laws. The scale of bug bounty programs increased dramatically in the late 2010s.

Some large companies and organizations run and operate their own bug bounty programs, including Microsoft, Facebook, Google, Mozilla, the European Union,[8] and the United States federal government.[9] Other companies offer bug bounties via platforms such as HackerOne.

History

[edit]

In 1851, Alfred Charles Hobbs was paid USD$20,000 (adjusted for inflation) to pick a lock.[10] In 1995, Netscape launched the first bug bounty program, for the beta version of its Netscape Navigator 2.0 browser.[10][11][12] Later on, other enterprises opened their own bug bounty programs. These were supplemented by crowdsourcing platforms that made it easier for professionals to find bug bounties.[10]

Motivation

[edit]
Vulnerability timeline if discovered first by a malicious actor. If the company becomes aware of the vulnerability first, a patch can be developed that prevents malicious actors from exploiting that vulnerability.[3]

Despite developers' goal of delivering a product that works entirely as intended, virtually all software contains bugs.[13][5] If a bug creates a security risk, it is called a vulnerability, and if the vendor is unaware of it, it is called a zero-day.[14][15] Vulnerabilities vary in their ability to be exploited by malicious actors. Some are not usable at all, while others can be used to disrupt the device with a denial of service attack. The most valuable allow the attacker to inject and run their own code, without the user being aware of it.[16] The harms of an attack can be severe.[17]

Organizations seeking to improve security test their systems to see if they can be breached.[5] Many contract with external services that conduct penetration testing, but this is not enough to find all vulnerabilities, motivating some companies to supplement with crowdsourced information.[3] Many companies are skeptical of third-party reports,[18] afraid that these programs will increase malicious activity, cost too much money, or bring fraudulent reports. Alternatively, bug bounty programs might be ignored because of confidence in their application's security or in favor of other security measures.[19] Some studies have found that the cost per vulnerability found is much lower via bounty programs rather than by hiring software engineers to search for vulnerabilities.[18]

Rewards

[edit]

The size of the reward offered varies on such factors such as the size of the company, the difficulty of finding the vulnerability, and how severe its effects could be if exploited.[6] Successful bug bounty hunters can often make more than software developers.[20] Many bug bounty programs are focused on web applications.[21]

In August 2013, a Palestinian computer science student reported a vulnerability that allowed anyone to post a video on an arbitrary Facebook account. According to the email communication between the student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the Facebook profile of Mark Zuckerberg, resulting in Facebook refusing to pay him a bounty.[22]

A Facebook "White Hat" debit card, which was given to researchers who reported security bugs

Facebook started paying researchers who find and report security bugs by issuing them custom branded "White Hat" debit cards that can be reloaded with funds each time the researchers discover new flaws.[23]

In 2016, Uber experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000.[24] Mr. Flynn expressed regret that Uber did not disclose the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to update their bug bounty program policies to, among other things, more thoroughly explain good faith vulnerability research and disclosure.[25]

Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!.[26] When Ecava released the first known bug bounty program for ICS in 2013,[27][28] they were criticized for offering store credits instead of cash which does not incentivize security researchers.[29] Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of IntegraXor SCADA, their ICS software.[27][28]

Some bug bounties programs require researchers to sign a non-disclosure agreement to receive pay or safe harbor benefits from the bug bounty program. This practice has been criticized on ethical grounds as enabling the company to sweep knowledge of vulnerabilities under the rug.[30][31][32]

Reports

[edit]

Because submissions are open to anyone, a large number of reports (estimated at 50-70 percent for HackerOne, the largest platform) are invalid.[33][34] One study found that the largest number of reports were rejected as previously known vulnerabilities, followed by false positives, out-of-scope, duplicates, and for lack of proof-of-concept. Another study found that bounty programs offering more money received a higher number of valid reports.[35] One cause of invalid reports is that it may be easier for hackers to submit a report rather than do additional work to check their solution.[36] Some bug bounty platforms, including HackerOne, have implemented measures to cut down on the number of invalid reports.[36] Bug bounty programs may be invite-only to trusted security researchers instead of public.[37] To validate the vulnerability and receive an award, the hacker usually has to create an exploit to prove that the vulnerability found is a genuine security bug.[6] The most commonly reported vulnerabilities in bug bounty programs include SQL injection, cross-site scripting (XSS), and design flaws.[38]

Participants

[edit]

Participants in bug bounty programs come from a variety of countries. In a survey of hackers on the HackerOne platform, 19 percent gave their location as the United States.[32] Anyone can make reports, regardless of their educational background and age.[39] The majority of reports come from a relatively small number of hackers.[40] The number of reporters and reports has increased dramatically in the late 2010s.[41]

Although the most-reported motivation of bug bounty participants is the financial reward from reporting,[42] other motivating factors include the potential for recognition, intellectual challenge, learning, and job opportunities.[43][3][7] A 2017 study published in Journal of Cybersecurity found that newer bug bounty programs attracted more researchers, despite older ones offering higher financial rewards.[44]

Notable programs

[edit]

Corporate

[edit]

In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70.[45][46] In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store.[47] Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337.[48]

Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software.[49] In 2017, GitHub and The Ford Foundation sponsored the initiative, which is managed by volunteers including from Uber, Microsoft,[50] Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences.[51]

Government

[edit]

In March 2016, Peter Cook announced the US federal government's first bug bounty program, the "Hack the Pentagon" program.[52]

In 2019, The European Commission announced the EU-FOSSA 2 bug bounty initiative for popular open source projects, including Drupal, Apache Tomcat, VLC, 7-zip and KeePass. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities.[53]

Platforms

[edit]

There are some platforms—the largest being HackerOne—that run bug bounty programs on behalf of software vendors and pay rewards set by the vendor.[8] Others include Cobalt, Bugcrowd, and Synact.[54][55][56] Open Bug Bounty is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators.[57]

Research

[edit]

As of 2021, most quantitative research on bug bounty programs has focused on publicly accessible datasets. There has not been published research into bug bounties for safety-critical systems, which have become increasingly connected to the Internet. Most of the existing research is quantitative and created by computer science experts, with a lack of multidisciplinary perspectives incorporating the insights of such fields as economics, law and philosophy.[42]

Legality

[edit]

Vulnerability discovery is similar in many respects to cyberattack. The actions of even well-intentioned hackers may breach criminal laws passed to prosecute cybercriminals. Most hackers are not legal experts and lack of knowledge of the law in their jurisdiction.[58] It is common for vulnerability discoverers to receive legal threats after disclosing a vulnerability.[59]

Although nearly all bug bounty programs promise a safe harbor for reports complying with their policies,[58] if the discovered vulnerability does not fall into a previously established bug bounty program, the company involved could report it as an illegal cyberattack.[58][59] In China, some vulnerability reporters have been arrested and prosecuted, including the leaders of WooYun—the oldest and largest vulnerability reporting platform in the country.[58]

Alternative vulnerability markets

[edit]

Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead. It is not uncommon to receive cease-and-desist letters from software vendors after disclosing a vulnerability for free.[60] Some individuals who find a previously unknown, zero-day vulnerability do not sell it to the vendor directly or indirectly via a third-party bug bounty program. According to one study, the most commonly cited reasons for not reporting a bug were threatening language on the website, lack of an obvious place to report, and lack of response to earlier bug reports.[61]

Discoverers can earn more money—more than USD$1 million in some cases—by selling the vulnerability to brokers such as Zerodium, spyware companies such as NSO Group, governments, or intelligence agencies. Government agencies may use the vulnerability to cause a cyberattack, stockpile the vulnerability, or notify the vendor.[62][15][8] Some hackers also sell the vulnerability they found to a criminal group.[63] In 2015, the markets for government and crime were estimated at at least ten times larger than the bug bounty market.[62]

See also

[edit]

References

[edit]
  1. ^ Ding, Aaron Yi; De Jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical hacking for boosting IoT vulnerability management". Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing. Ictrs '19. Rhodes, Greece: ACM Press. pp. 49–55. arXiv:1909.11166. doi:10.1145/3357767.3357774. ISBN 978-1-4503-7669-3. S2CID 202676146.
  2. ^ Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (November 19, 2018). "Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure". Crime Science. 7 (1): 16. doi:10.1186/s40163-018-0090-8. ISSN 2193-7680. S2CID 54080134.
  3. ^ a b c d e f Magalhães 2024, p. 236.
  4. ^ Jackson 2021, p. 6.
  5. ^ a b c Magalhães 2024, p. 235.
  6. ^ a b c Lozano & Amir 2018, p. 5.
  7. ^ a b Laszka et al. 2018, p. 138.
  8. ^ a b c Magalhães 2024, p. 241.
  9. ^ "The Pentagon Opened up to Hackers - And Fixed Thousands of Bugs". Wired. November 10, 2017. Retrieved May 25, 2018.
  10. ^ a b c Jackson 2021, p. 3.
  11. ^ "Bounty attracts bug busters". CNET. June 13, 1997. Retrieved October 17, 2023.
  12. ^ Friis-Jensen, Esben (April 11, 2014). "The History of Bug Bounty Programs". Cobalt.io. Archived from the original on March 16, 2020. Retrieved October 17, 2023.
  13. ^ Ablon & Bogart 2017, p. 1.
  14. ^ Ablon & Bogart 2017, pp. iii, 2.
  15. ^ a b Sood & Enbody 2014, p. 1.
  16. ^ Ablon & Bogart 2017, p. 2.
  17. ^ Magalhães 2024, pp. 235–236.
  18. ^ a b Magalhães 2024, pp. 239–240.
  19. ^ Jackson 2021, p. 4.
  20. ^ Lozano & Amir 2018, p. 12.
  21. ^ Sinha 2019, p. 219.
  22. ^ "Zuckerberg's Facebook page hacked to prove security flaw". CNN. August 20, 2013. Retrieved November 17, 2019.
  23. ^ Mills, Elinor (December 31, 2011). "Facebook whitehat Debit card". CNET.
  24. ^ "Testimony of John Flynn, Chief Information Security Officer, Uber Technologies, Inc" (PDF). United States Senate. February 6, 2018. Retrieved June 4, 2018.
  25. ^ "Uber Tightens Bug Bounty Extortion Policy". Threat Post. April 27, 2018. Retrieved June 4, 2018.
  26. ^ Osborne, Charlie. "Yahoo changes bug bounty policy following 't-shirt gate'". ZDNet.
  27. ^ a b Toecker, Michael (July 23, 2013). "More on IntegraXor's Bug Bounty Program". Digital Bond. Retrieved May 21, 2019.
  28. ^ a b Ragan, Steve (July 18, 2013). "SCADA vendor faces public backlash over bug bounty program". CSO. Retrieved May 21, 2019.
  29. ^ Rashi, Fahmida Y. (July 16, 2013). "SCADA Vendor Bashed Over 'Pathetic' Bug Bounty Program". Security Week. Retrieved May 21, 2019.
  30. ^ "How Zoom handled vulnerability shows the dark side of bug bounty's". ProPrivacy.com. Retrieved May 17, 2023.
  31. ^ Porup, J. M. (April 2, 2020). "Bug bounty platforms buy researcher silence, violate labor laws, critics say". CSO Online. Retrieved May 17, 2023.
  32. ^ a b Magalhães 2024, p. 246.
  33. ^ Laszka et al. 2018, p. 139.
  34. ^ Magalhães 2024, p. 237.
  35. ^ Magalhães 2024, pp. 237–238.
  36. ^ a b Laszka et al. 2016, p. 162.
  37. ^ Lozano & Amir 2018, p. 8.
  38. ^ Magazinius et al. 2021, p. 97.
  39. ^ Lozano & Amir 2018, pp. 11–12.
  40. ^ Magazinius et al. 2021, p. 96.
  41. ^ Magazinius et al. 2021, p. 95.
  42. ^ a b Magazinius et al. 2021, p. 100.
  43. ^ Libicki, Ablon & Webb 2015, pp. 46–47.
  44. ^ Maillart, Thomas; Zhao, Mingyi; Grossklags, Jens; Chuang, John (2017). "Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs". Journal of Cybersecurity. 3 (2): 81–90. doi:10.1093/cybsec/tyx008.
  45. ^ Goodin, Dan (October 9, 2013). "Google offers "leet" cash prizes for updates to Linux and other OS software". Ars Technica. Retrieved March 11, 2014.
  46. ^ Zalewski, Michal (October 9, 2013). "Going beyond vulnerability rewards". Google Online Security Blog. Retrieved March 11, 2014.
  47. ^ "Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play". The Verge. October 22, 2017. Retrieved June 4, 2018.
  48. ^ "Vulnerability Assessment Reward Program". Retrieved March 23, 2020.
  49. ^ Goodin, Dan (November 6, 2013). "Now there's a bug bounty program for the whole Internet". Ars Technica. Retrieved March 11, 2014.
  50. ^ Abdulridha, Alaa (March 18, 2021). "How I hacked Facebook: Part Two". infosecwriteups. Retrieved March 18, 2021.
  51. ^ "Facebook, GitHub, and the Ford Foundation donate $300,000 to bug bounty program for internet infrastructure". VentureBeat. July 21, 2017. Retrieved June 4, 2018.
  52. ^ "DoD Invites Vetted Specialists to 'Hack' the Pentagon". U.S. DEPARTMENT OF DEFENSE. Retrieved June 21, 2016.
  53. ^ "EU-FOSSA 2 - Bug Bounties Summary" (PDF).
  54. ^ Sinha 2019, pp. 3–4.
  55. ^ Laszka et al. 2016, p. 161.
  56. ^ Lozano & Amir 2018, p. 7.
  57. ^ Dutta, Payel (February 19, 2018). "Open Bug Bounty: 100,000 fixed vulnerabilities and ISO 29147". TechWorm. Retrieved April 10, 2023.
  58. ^ a b c d Magalhães 2024, p. 247.
  59. ^ a b Jackson 2021, p. 7.
  60. ^ Strout 2023, p. 36.
  61. ^ Magalhães 2024, pp. 241–242.
  62. ^ a b Libicki, Ablon & Webb 2015, p. 44.
  63. ^ Libicki, Ablon & Webb 2015, pp. 44, 46.

Cite error: A list-defined reference named "Mozilla" is not used in the content (see the help page).

Cite error: A list-defined reference named "Microsoft" is not used in the content (see the help page).

Sources

[edit]