What is a bug bounty?
A bug bounty is a way for a company to have the security of its applications tested by “nice hackers”, by rewarding them for every bug or vulnerability they report. Today, we hear more and more about it: many actors already use this practice as a complement to their usual tests, to check the security of their applications. The latest one is the Pentagon, which launched its bug bounty program at the beginning of March.
The aim of the bug bounty is to create a virtuous cycle, where companies benefit from a security monitoring by only paying for bugs that have been found, and hackers earn money and reputation.
However, one must realize that a bug bounty cannot replace, on its own, all the other security tests usually made by companies: it is complementary to penetration tests, IT security audits and other securisation methods.
A bug bounty program can be of limited duration, or not have any scheduled end. The aim is to benefit from an IT security watch. That is one of the differences between bug bounties and other security tests, such as penetration tests, which are made over very short periods of time.
Another difference can be found within the tested perimeter. Indeed, the latter is defined and limited during a penetration test; moreover, in some cases, testers can try and find a vulnerability by being authentified on the application (grey box testing). In bug bounties, most of the programs use “black box testing”, which means that players have no particular information on the application, and can test the whole of it. It remains however possible, on dedicated platforms, to come closer to the functioning of a penetration test.
Also, people taking part in a bug bounty will not go as far in their research as specialists who were paid for a penetration testing. The latter are indeed working full time, for a week for instance, on one single application: they thus have time to, and must, explore all possibilities. It is not the case during a bug bounty, where research is much more “universal”.
Bug bounty: from 1995 to this day
The first bug bounty was launched in 1995 and was organized by Netscape. A company engineer noticed that the community around Netscape products was very lively, and included engineers correcting bugs and publishing their patches. He had the idea to use this enthusiasm, and Netscape thus started to distribute t-shirts as a reward to people disclosing bugs directly to the company. This method was then used, sporadically, by other companies (IDefense, Mozilla, TippingPoint…).
However, bug bounty really started to be widely recognized and used in 2007 only, with the organisation of the first Pwn2Own. During this now annual event, cybersecurity researchers aim at penetrating computers with different operating systems, browsers and softwares. The vulnerabilities used are secretely disclosed to editors, for them to be able to correct them; researchers win the computers and other potential rewards.
In 2010, Google launched its first bug bounty on web applications, and definitively launched the trend worldwide. Other companies followed, such as Facebook, which created its “whitehat” pogram in 2011, offering rewards of at least 500 dollars. These two companies are notably known for their generous rewards, like Microsoft.
To ease exchanges between companies and hackers, and allow all companies to be visible, bug bounty platforms have been created over the years (such as HackerOne, the most famous one). These platforms are mainly American, since the bug bounty custom is for now more developed in the United States than anywhere else.
In Europe, it has yet to take off, but a first (French) bug bounty platform was launched, on January 22nd: Bounty Factory.
Bug bounty platforms: how does it work?
At a company’s request
There are many platforms, but no big differences in the way they work. When a company launches a program, it defines a minimum reward (to be adapted depending on the criticality of the flaw), some rules (for instance, no DDoS), and a testing perimeter if need be. It can also decide to open its program to all members of the platform, or only let the best work on it.
The people on the platform then try to find bugs, vulnerabilities or exploits on the applications to be tested. When a bug is found, the finder writes a report for the company. The latter defines if the problem is valid, and if it must be patched: if it is, points are attributed to the finder. The point system depends on the platform: some have a frame of reference, on others the company must grade the hacker depending on the criticality of the vulnerability or the quality of the report… Thanks to this point system, there is a ranking of the members: that is how some get reputation, and can integrate more selective programs, saved for instance for the platform top 30 hackers.
The person who found the bug will also get his or her reward. It is a significant motivation, to be adapted of course on the size of the company. Programs offering no monetary reward do not work as well as others, especially when they are launched by large companies (such as General Motors or Yahoo).
It should also be noted that IT vulnerabilities, which are disclosed to companies, are not always published. It depends on the platform: HackerOne publishes all vulnerabilities, but on other websites, the only information exposed is the name of the hackers and their rewards. It benefits to the tester, who gains visibility, and to the company, which shows how much it rewards its helpers, inciting other hackers to test their application. When a company launches a bug bounty without using a platform, its can decide which way to go. Google, for instance, publishes all vulnerabilities found within its program. Some blog contents explaining out-of-the-box vulnerabilities, or ones that are fun to experts, can also be found.
Bug bounty : other platforms
All big bounty platforms do not allow companies to launch their own program. Some of them are autonomous, like Zerodium. This platform offers rewards (announced on the website as the highest on the market) in exchange for unprecetented and high-risk vulnerabilities and exploits found on a major operating system, software or device on the market. Editors have nothing to do with it. Zerodium then sells this information to its clients, which can protect themselves from the vulnerabilities, but do not disclose them to editors. The bugs found are thus not globally patched.
Other platforms are less definite, and only postpone the vulnerability disclosure to the editors. It is for instance the case of Exodus Intelligence, which sells reports to its clients, for them to either protect themselves or use it to attack another website. They then make the bug public within 2 years. It allows the platform to give its clients a head start before the publication of the vulnerability, and its potential wave of protection and exploitation, but also give the editors the opportunity to eventually patch the flaw.
Image source : https://www.exodusintel.com/capabilities.html
Bug bounty, towards a safest Web
The practice of bug bountying will no doubt keep growing and changing over time. At first, the vulnerabilities that were found were mainly basic (XSS, SQLI), but today the general level is higher, with reports of better quality.
Of course, the idea to allow anyone to test one’s application can be scary, but no problem related to this practice has ever been noticed this far. The multiplication of testing methods is a very positive trend, which will progressively improve the general security of the Web.