What exactly is Bug Bounty ?

In the Wild West, when outlaws roamed the land, local sheriffs did not have the resources to track them down alone. So they put up “Wanted” posters, offering huge rewards (a fairly handsome amount) for their capture.

bug_bounty

Thus began the concept of “bounty hunting”. A bounty hunter captures fugitives for a monetary reward a.k.a. bounty. Other names, mainly used in the United States, include bail enforcement agent and fugitive recovery agent.

From capturing notorious criminal, Bounty Hunting has since been introduced into Information Technology as well.

Software companies pay a certain amount (Bounty) to the security researcher (Bounty Hunter) who finds critical “bugs” or vulnerabilities in their software. This is known as “Bug Bounty”.

This concept was first conceived by Netscape in 1995. Few companies to follow were iDefense (2002), Mozilla Firefox (2004), ZDI (2005), Pwn2Own(2007), Google Chromium(2010) and Facebook(2011).

This is a very lucrative field for Information Security enthusiasts and researchers as well. When a security researcher reports a valid vulnerability in an application, then the developing organization pays a bounty to the researcher, instead of just saying a simple thank you.

Bug bounty provides a platform to the researchers to improve their skills and experience and to get rewarded with a bounty. Not only do you get rewarded for finding vulnerabilities, but you may also get your name listed in the company’s Hall of Fame. Doesn’t that sound great?

 

Why do companies organize bug bounty programs?

The answer is simple, to be secure. By providing this policy, many security researchers around the world will try to find vulnerabilities in the target applications. Every security researcher has his/her own methodology to find the bugs. This yields to broader coverage of scrutiny on the application from a security standpoint. One more important thing is that these bug bounties encourage young and talented security researchers to showcase their talent, implement on real word applications and learn immensely in the process.

Few companies which provide bug bounty are:

  • Google
  • Microsoft
  • Facebook
  • PayPal
  • Mozilla, and many more.

 

So, what types of vulnerabilities are accepted?

It all depends on the impact of the vulnerability on the application. From my experience, major vulnerabilities that the companies look for to be identified, when offering a bug bounties are:

1. Remote Code Execution

2. SQLi

3. Authentication Bypass

4. Privilage Escalation

5. XSS (All flavours)

6. CSRF

7. Clickjacking

8. Unvalidated Redirects and Forwards

This does not mean that only these vulnerabilities are accepted. Companies provide bounty only for reporting a previously unknown security vulnerability of sufficient severity.  Based on the severity, a higher amount is paid. It may be considered a good part time work for security researchers as they get exposed to real world applications, and get paid in the process.

 

Why are these programs successful?

This is mainly because of the participation of the both white hat (ethical hacker) and black hat (unethical hacker) community. Mostly white hat hackers participate in these programs to learn and get paid. The strategy of black hat hackers is also the same, but they more concentrate on the bounty part. If a black hat hacker finds vulnerability, then he has a chance to either responsibly report to the organization or to sell it in the black market. So it is important for companies and organizations to track the activities of these “bounty hunters” and lay down strict policies against finding and reporting vulnerabilities.

One more lucrative attraction is that once vulnerability is reported, the name of finder makes to the company’s hall of fame, which increases his/her reputation in the community.

So, join the hunt, let your names to be listed in Halls of Fame and your pockets be filled 🙂

Written By,

Attack & PenTest Team,

Varutra Consulting