What are bug bounty programs and why should corporates care about them?

shape
shape
shape
shape
shape
shape
shape
shape

You might have heard of it before and might not be sure what it’s about exactly. But bug bounty programs remain an important and effective part of cybersecurity, particularly for companies. So what is a bug bounty program? How does one help cybersecurity? Here’s what you need to know.

The first known bug bounty program was in 1983 by Hunter & Ready. At the time, the program offered a Volkswagen Beetle who found and reported any issues. Years later, a technical support engineer at Netscape by the name of Jarrett Ridlinghafer coined the term “bugs bounty”.

Following the “Netscape Bugs Bounty Program” in 1995, the idea grew over the years and more companies embraced the concept. Today, its seen as an effective way to polish up tech-based products and patch up any loopholes in the digital space.

Some of the most notable bug bounty programs

Facebook

The social media giant has had a bug bounty program for a few years now. You’re eligible for a minimum payout of $500 for reporting a bug, provided none of the program’s policies are breached. For example, if you report on Denial of Service attacks or Social Engineering attacks, you’re ineligible for a reward. The program extends to Instagram, WhatsApp, Internet.org, Oculus, Onavo, and other open-source projects by Facebook.

Google

Google’s vulnerability rewards program offers a minimum payout of $100 all the way up to a maximum of $31,337. Qualifying vulnerabilities should pertain to any “design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program”. This includes attacks such as XSS, cross-site request forgery, server-side code execution bugs, etc.

In 2013, Google opened its program to allow select high-risk free software applications and libraries. About 4 years later, Google extended this further to cover third-party apps available on the Google Play Store.

Mozilla

Mozilla kicked off its bug bounty program way back in 2004. Currently, the not-for-profit organization operates two bug bounty programs. The first program, the “Client Bug Bounty Program” caters to vulnerability reporting for publicly released versions of Firefox. The second is a “Web and Services Bug Bounty Program”. This is where the organization invites security researchers to report remote code execution bugs affecting critical websites. Rewards range from a minimum of $100 to a maximum of over $10,000.

Netflix

Netflix is quite recent to the bug bounty scene. The company launched its bug bounty program in March 2018. Reports pertaining to XSS, CSRF, SQLi or other similar vulnerabilities qualify for a reward. Of course, this is only as long as these reports are specific to any of the company’s services. Payout ranges from $200 to a maximum of $200,000.

Microsoft

In July 2017, Microsoft launched the Windows bug bounty program. This covered bug reports relating to the Windows Insider Preview. Of course, the company has a few other bug bounty programs as well. Security researchers that discover Mitigation bypass issues or critical remote code execution in Hyper-V can expect a payout as big as $250,000.

Pentagon

 The US federal government kicked off its first bug bounty program back in 2016. “Hack the Pentagon” is designed to identify and resolve security vulnerabilities public domain websites maintained by the United States Department of Defense. The framework was created in partnership with HackerOne.

Over the 3 years since inception, the program has expanded to cover other departments such as the US military through the “Hack the Army” bug bounty. Payout usually defers from a minimum of $100 to a maximum of $15,000.

Mishandled bug bounty programs can hurt companies

As evident, companies from around the world look to bug bounty programs as a means of a good security strategy. But that doesn’t mean these are without their flaws.

Take the case of Khalil Shreateh. In August 2013, Khalil discovered a vulnerability on Facebook. This vulnerability allowed users to post to any user’s page, even to ones not on the Friends list. Such a loophole would enable scammers to thrive on a massive scale on the social network. Khalil reported the bug. But he did not qualify for a reward under Facebook’s White Hat program. Legally, the company may be in the right. But, the situation could have been handled differently. Particularly, if companies aim to encourage security researchers to help them find security loopholes.

Sometimes, mismanaged bug bounty programs can actually backfire on the company. This is exactly what happened with Yahoo. In 2013, a Swiss-based company called High-Tech Bridge discovered several XSS vulnerabilities on marketingsolutions.yahoo.com domain, ecom.yahoo.com, and adserver.yahoo.com domains. As a reward for reporting the said vulnerabilities, Yahoo offered the Swiss company $12.50 for each vulnerability in the form of a discount code for the Yahoo Company Store. In other words, Yahoo offered t-shirts.

Following the public backlash made Ramses Martinez, Director of the security team Yahoo Paranoids offered an explanation. In a blog, post-Martinez stated that “I started sending a t-shirt as a personal “thanks.” It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate”. Then again, Yahoo is not known for its top-notch security.

Mismanaged bug bounty programs can also come in the form of inadequate policy. In 2016, an attacker had gained access to 57 million Uber users’ personal information. The individual had kept the information at ransom for $100,000. At a congressional testimony, Uber CISO John Flynn stated that the attackers were paid the $100,000 through the company’s bug bounty program, but the data had already been deleted prior to the payment. As a response to the incident, Uber worked together with HackerOne to update the existing bug bounty program policy. This aimed to address aspects such as what pertains to good faith vulnerability research and disclosure.

So, should your company have its own bug bounty program?

Of course, bug bounty programs aren’t limited to tech giants. Ownership to a lot of resources at your disposal helps in establishing a successful bug bounty program. But a bug bounty program done right can help your company in the long run immensely. For starters, it could save money in the long term when it comes to patching loopholes and upgrading the existing system’s security level. It could also save time and the need for specific skilled labor in handling security.

But this isn’t just about offering monetary rewards for security researchers. As the Facebook incident showed, proper communication between the company and any security reporter is crucial. Perhaps, even more, important is establishing a clear and concise policy. Uber suffered as a result of a loophole in the company’s bug bounty policy. A strong policy combined with effective communication can go a long way in establishing a successful bug bounty program.