Bug bounty program explained

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation[1] [2] for reporting bugs, especially those pertaining to security exploits and vulnerabilities.[3]

These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including Mozilla,[4] Facebook,[5] Yahoo!,[6] Google,[7] Reddit,[8] Square,[9] Microsoft,[10] and the Internet bug bounty.[11]

Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs.[12] The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.[13]

History

Hunter and Ready initiated the first known bug bounty program in 1981 for their Versatile Real-Time Executive operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle (Bug) in return.[14]

On October 10, 1995, Netscape Communications Corporation launched a "Bugs Bounty" program for the beta version of its Netscape Navigator 2.0 browser.[15] [16] [17]

Vulnerability Disclosure Policy controversy

In August 2013, a Palestinian computer science student reported a vulnerability that allowed anyone to post a video on an arbitrary Facebook account. According to the email communication between the student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the Facebook profile of Mark Zuckerberg, resulting in Facebook refusing to pay him a bounty.[18]

Facebook started paying researchers who find and report security bugs by issuing them custom branded "White Hat" debit cards that can be reloaded with funds each time the researchers discover new flaws. "Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them", Ryan McGeehan, former manager of Facebook's security response team, told CNET in an interview. "Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say 'I did special work for Facebook.'"[19] In 2014, Facebook stopped issuing debit cards to researchers.

In 2016, Uber experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000.[20] Mr. Flynn expressed regret that Uber did not disclose the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to update their bug bounty program policies to, among other things, more thoroughly explain good faith vulnerability research and disclosure.[21]

Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called T-shirt-gate.[22] High-Tech Bridge, a Geneva, Switzerland-based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post[23] that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31 of the same year, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered.[24]

Similarly, when Ecava released the first known bug bounty program for ICS in 2013,[25] [26] they were criticized for offering store credits instead of cash which does not incentivize security researchers.[27] Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of IntegraXor SCADA, their ICS software.

Some bug bounties programs have been criticized as tools to prevent security researcher from publicly disclosing vulnerabilities, by conditioning the participation to bug bounty programs, or even the granting of safe-harbor, to abusive non-disclosure agreements.[28] [29]

Geography

Though submissions for bug bounties come from many countries, a handful of countries tend to submit more bugs and receive more bounties. The United States and India are the top countries from which researchers submit bugs.[30] India, which has either the first or second largest number of bug hunters in the world, depending on which report one cites,[31] topped the Facebook Bug Bounty Program with the largest number of valid bugs.[32] In 2017, India had the highest number of valid submissions to Facebook's Whitehat program, followed by the United States and Trinidad and Tobago.

Notable programs

In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70.[33] [34] In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store.[35] Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337.[36]

Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software.[37] In 2017, GitHub and The Ford Foundation sponsored the initiative, which is managed by volunteers including from Uber, Microsoft, Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences.[38] The software covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL, Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.[39]

In March 2016, Peter Cook announced the US federal government's first bug bounty program, the "Hack the Pentagon" program.[40] The program ran from April 18 to May 12 and over 1,400 people submitted 138 unique valid reports through HackerOne. In total, the US Department of Defense paid out $71,200.[41]

In 2019, The European Commission announced the EU-FOSSA 2 bug bounty initiative for popular open source projects, including Drupal, Apache Tomcat, VLC, 7-zip and KeePass. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities.[42]

Open Bug Bounty is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators.[43]

See also

Notes and References

  1. Web site: The Hacker-Powered Security Report - Who are Hackers and Why Do They Hack p. 23. 2017. HackerOne. 5 June 2018.
  2. Book: Ding. Aaron Yi. De Jesus. Gianluca Limon. Janssen. Marijn. Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing . Ethical hacking for boosting IoT vulnerability management . 2019. http://dl.acm.org/citation.cfm?doid=3357767.3357774. Ictrs '19. en. Rhodes, Greece. ACM Press. 49–55. 10.1145/3357767.3357774. 1909.11166. 978-1-4503-7669-3. 202676146.
  3. Weulen Kranenbarg . Marleen . Holt . Thomas J. . van der Ham . Jeroen . 2018-11-19 . Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure . Crime Science . en . 7 . 1 . 16 . 10.1186/s40163-018-0090-8 . 54080134 . 2193-7680. free .
  4. Web site: Mozilla Security Bug Bounty Program. Mozilla. en-US. 2017-07-09.
  5. Web site: Meta Bug Bounty programme info. n.d.. Facebook. 17 October 2023.
  6. Web site: Yahoo! Bug Bounty Program. HackerOne. 11 March 2014.
  7. Web site: Vulnerability Assessment Reward Program. 11 March 2014.
  8. Web site: Reddit - whitehat. Reddit. 30 May 2015.
  9. Web site: Square bug bounty program. HackerOne. 6 Aug 2014.
  10. Web site: Microsoft Bounty Programs. https://wayback.archive-it.org/all/20131121090336/http://technet.microsoft.com/en-US/security/dn425036. dead. 2013-11-21. Microsoft Bounty Programs. Security TechCenter. 2016-09-02.
  11. Web site: Bug Bounties - Open Source Bug Bounty Programs. HackerOne. 23 March 2020.
  12. The Pentagon Opened up to Hackers - And Fixed Thousands of Bugs. 10 November 2017. Wired. 25 May 2018.
  13. Web site: A Framework for a Vulnerability Disclosure Program for Online Systems. July 2017. Cybersecurity Unit, Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice. 25 May 2018.
  14. Web site: The first "bug" bounty program. 8 July 2017. Twitter. 5 June 2018.
  15. Web site: Netscape announces Netscape Bugs Bounty with release of netscape navigator 2.0 . Internet Archive . 21 Jan 2015 . dead . https://web.archive.org/web/19970501041756/http://www101.netscape.com/newsref/pr/newsrelease48.html . May 1, 1997 .
  16. Web site: Bounty attracts bug busters . CNET . 17 October 2023 . en . 13 June 1997.
  17. Web site: Friis-Jensen . Esben . The History of Bug Bounty Programs . Cobalt.io . 17 October 2023 . https://web.archive.org/web/20200316125316/https://blog.cobalt.io/the-history-of-bug-bounty-programs . 16 March 2020 . 11 April 2014 . dead.
  18. Web site: Zuckerberg's Facebook page hacked to prove security flaw. 20 August 2013. CNN. 17 November 2019.
  19. Web site: Mills. Elinor. Facebook whitehat Debit card. CNET.
  20. Web site: Testimony of John Flynn, Chief Information Security Officer, Uber Technologies, Inc. 6 February 2018. United States Senate. 4 June 2018.
  21. Web site: Uber Tightens Bug Bounty Extortion Policy. 27 April 2018. Threat Post. 4 June 2018.
  22. Web site: Osborne. Charlie. Yahoo changes bug bounty policy following 't-shirt gate'. ZDNet.
  23. Web site: So I'm the guy who sent the t-shirt out as a thank you. Ramses. Martinez. Yahoo Developer Network. 2 October 2013.
  24. Web site: The Bug Bounty Program is Now Live. Ramses. Martinez. Yahoo Developer Network. 31 October 2013.
  25. Web site: Toecker . Michael . More on IntegraXor's Bug Bounty Program . Digital Bond . 21 May 2019 . 23 July 2013.
  26. Web site: Ragan . Steve . SCADA vendor faces public backlash over bug bounty program . CSO . 21 May 2019 . 18 July 2013.
  27. Web site: Rashi . Fahmida Y. . SCADA Vendor Bashed Over 'Pathetic' Bug Bounty Program . Security Week . 21 May 2019 . 16 July 2013.
  28. Web site: How Zoom handled vulnerability shows the dark side of bug bounty's . 2023-05-17 . ProPrivacy.com . en.
  29. Web site: Porup . J. M. . 2020-04-02 . Bug bounty platforms buy researcher silence, violate labor laws, critics say . 2023-05-17 . CSO Online . en.
  30. Web site: The 2019 Hacker Report. HackerOne. 23 March 2020.
  31. Web site: Bug hunters aplenty but respect scarce for white hat hackers in India. 8 February 2018. Factor Daily. 4 June 2018. October 22, 2019. https://web.archive.org/web/20191022134027/https://factordaily.com/india-bug-bounty-superpower/. dead.
  32. Web site: Facebook Bug Bounty 2017 Highlights: $880,000 Paid to Researchers. 11 January 2018. Facebook. 4 June 2018.
  33. Web site: Google offers "leet" cash prizes for updates to Linux and other OS software. Goodin. Dan. 9 October 2013. Ars Technica. 11 March 2014.
  34. Web site: Going beyond vulnerability rewards. Zalewski. Michal. 9 October 2013. Google Online Security Blog. 11 March 2014.
  35. Web site: Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play. 22 October 2017. The Verge. 4 June 2018.
  36. Web site: Vulnerability Assessment Reward Program. 23 March 2020.
  37. Web site: Now there's a bug bounty program for the whole Internet. Goodin. Dan. 6 November 2013. Ars Technica. 11 March 2014.
  38. Web site: Facebook, GitHub, and the Ford Foundation donate $300,000 to bug bounty program for internet infrastructure. 21 July 2017. VentureBeat. 4 June 2018.
  39. Web site: The Internet Bug Bounty. HackerOne. 11 March 2014.
  40. Web site: DoD Invites Vetted Specialists to 'Hack' the Pentagon. U.S. DEPARTMENT OF DEFENSE. 2016-06-21.
  41. Web site: Vulnerability disclosure for Hack the Pentagon. HackerOne. 2016-06-21.
  42. Web site: EU-FOSSA 2 - Bug Bounties Summary.
  43. Web site: Dutta . Payel . 2018-02-19 . Open Bug Bounty: 100,000 fixed vulnerabilities and ISO 29147 . 2023-04-10 . TechWorm . en-US.