Bug Bounty Programs

[Akash]

Hello,

Copying what Rahul posted on another thread.


"a debate about bug bounty programs. The present, future and the various
scope of bounty hunting . Since bug bounty programs has made a lot of
 transitions  in security industry it would be cool to brainstorm on this
topic.

Like for example there was a lot of hacktivism in Indian Hackspace from
2006 - 2011, you can't see that anymore  . Similarly lot other things
changed. I am curious to know the community's viewpoint on this."


My personal take, a lot of bug bounties are about finding low hanging fruit
and as long as the bounty hunters understand that there is a lot more to
security than making a lot of bounty and that hall of fame is just some
bits and bytes in the virtual world then it is good.

But since I haven't made any substantial amount of money doing Bug Bounties
I can be termed as an old fog. Which is cool too. :)


--
Warm regards,
Akash Mahajan

That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager

[Jose]

This is interesting.! And yes, you are right Akash. During 2006-2011, it was all about Defacing the opponent country sites. Now MONEY comes into priority and every Bug hunters including BlackHats inducted themselves into this Bug hunting. But the worst thing is that they claim themselves to be the world's best Security Researchers / Hackers as they attain some few Hall of fame and all.! There are some true researchers who truly contribute to the information security by breaking and building better security unlike kiddies who are aware of simple XSS, XSRF, Clickjacking and nothing more and  doing silly Bug bounties and HOF and begging for Rewards/ T-shirts etc...!

This activity defames the real Information security field.!! 

Kids show off with their XSS in bug bounty site, get them a medium level XSS challenge to solve, they are gone :) 

And the most worst part is kiddies find a vulnerability a simple vulnerability in facebook, google or anything, the Security team of the concerned company fails to reply or call it duplicate or say it is not eligible, kiddies go crazy and they started blabbering "Oh.! Poor security Team of Facebook, Google, you guys are cheat, you don't know anything. I am gonna Hack you, no more reports " etc..etc..
See?!! Genius employees who work at Facebook, Google are idiots, but these kids who get HOF are the genius :D

Some Genius find HEARTBLEED, some researcher understands it and build a tool to test HEARTBLEED vulnerability, KIDDIES use the tool and call themselves as 
"SECURITY RESEARCHERS" without even understanding what the hell HEARTBLEED vulnerability means.!!

I would like to hear from others too. Keep up this discussion.

[Rahul Sasi]

Thanks akash for starting this thread. 

When I started with my consulting job, I used to do a lot of security audits for  many government organizations. My company got those projects mainly because the gov organizations public websites were hacked by some hackers. To me all the hacktivism and malware related news played some role getting projects for this industry. Am curious to know from people heading security companies how the business is like right now :) . 

So is the future gone be like companies will start bug bounties instead of going for a third party security audit . 

--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Rahul Sasi
Info Security Researcher

07738222968
http://www.linkedin.com/in/fb1h2s

www.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog

[arpit gupta]

fully agree with you Jose 

[Anil Aphale]

i wont say bounties are bad or should not be there... we have seen many quality researches coming out through bounties...

e.g: karniv0r found XSPA during his bug bounty hunting.. so yes he did research on this because this vulnerability was not known to anyone....

many people find XSS, CSRF or any owasp top10 in google,facebook, etc but since this techniques are known you are not researcher but just user of that technique... also i might be wrong but people into bug bounty just running behind money which is not allowing them to do research...

in my opinion flow should be something like this:

Find New Type of Vulnerability & research on it ---> Check if that is affecting google, facebook --> you get research tagged with your name + bounty amount (so you leaned + earned)

On Fri, Apr 25, 2014 at 3:46 PM, Jose <relinj...@gmail.com> wrote:

[surya subhash]

Well, To be frank these bug bounty programs have become a scam.. The companies have started scamming hunters just saying it's duplicate... A well example is of a company called HELPSCOUT. if you report a vulnerability they say it's a duplicate and you can see it's fixed in the next update..

--------------

Regards,

P.B.Surya.Subhash.

[Shubham Mittal]

One point which I always feel why bug bounties can never take over the traditional pen-testing companies is, when you put your application on bug bounty or responsible disclosure, you don't know what all tools are going to test your site, what all invasive policies are going to be used, blah blah. Many of the bounty hunters are new ones, who don't know how to keep things safe meanwhile testing. For instance, they won't even mind dropping a db too and if they don;t get response in 2-3 days, they might even go public with abuses and show off blogs (which Jose mentioned).

But when a pen-testing company is hired, you mention to your vendor what kind of environment will be tested, i.e. production / non production. So assessment is done in a more responsible manner. In the end, you can easily rely on these vendors. 

I also do not oversee the unique and cool bugs smart guys have uncovered in internet giants, but there must be some concrete solutions for new guys who don't understand all this and are pretty much happy with a XSS without even understanding of how to exploit it.

Shubham Mittal

Information Security Researcher

Twitter : @upgoingstar | Youtube : /upgoingstar 

Webpage: http://3ncrypt0r.blogspot.com

[Praveen Kumar]

Just to give an insight about quality vs quantity :

“India contributed the largest number of valid bugs at 136, with an average reward of $1,353. The US reported 92 issues and averaged $2,272 in rewards,” Facebook said in a post. 

Ref: http://www.thehindubusinessline.com/features/smartbuy/social-media/india-leads-the-race-in-reporting-bugs-on-facebook-in-2013/article5871441.ece .

i have no problem with people going after low hanging fruits , what i am interested is i want to see these researchers move up the value chain both in terms of quality of bugs and payment . As the fruits get higher those who will adapt will move up the value chain , rest will perish .

Also i disagree that Bug bounties can COMPLETELY replace third party pen-testing . To an extent yes but not completely .

On Fri, Apr 25, 2014 at 4:04 PM, Anil Aphale <41.w...@gmail.com> wrote:

[arpit gupta]

Even i found some issue in FB , shopify and many other fb said its international behavior my concern is if it is not security issue then why did u patch it .. in only two days. 

[webDEViL]

I love bounties. It's so exciting! We get $$$. For a nation like us, 1 is to 60 is a good return. Killing your social life for Clickjacking/Fuzzing is the way to go!

I even would want my company to pay me per bug that I find, in all those assessments that I do.

It doesn't really matter if I understand the bug or not. It's about the people that I submit the bug too! It's their software, they should understand the bug better! And why do you want to see Shikari Shambu's move ahead? What have you researched yourself? haan?!! bolo! see...Blasphemy, I say!

And those Paypal dupes! I know for sure Paypal is running out of funds and they want to mark duplicates to save money. And those issues that I found in blogger.com/googleusercontent.com non issues they say! Wait till some blackhat exploits them. I am being nice by not writing exploits for them. But time will tell...don't come back to me then.

All in all, You people are just jealous that you couldn't find the bugs that others have found! Pizdets!

--
Regards,

webDEViL

http://twitter.com/w3bd3vil

[webDEViL]

Rahul,
It's sad if that's how we get projects in the industry. And even more sad, if we count on those to get projects!

I hope, for the better of us, people stick to bug bounties rather than hacktivism then!

Regards,

webDEViL

http://twitter.com/w3bd3vil

[webDEViL]

Anil,

Just for clarity. What you term as XSPA was already documented even before Riyaz presented it (The Russians know it all), one such example is https://media.blackhat.com/bh-dc-11/Nunez%20Di%20Croce/BlackHat_DC_2011_NunezDiCroce_Onapsis-wp.pdf

(Much love to Riyaz nonetheless!)

On Fri, Apr 25, 2014 at 4:04 PM, Anil Aphale <41.w...@gmail.com> wrote:

[Manjunath K P]

I agree bug bounties are good. Since i work for decent salary and very good employer who take care of me well i am not worrying about the money and don not have intention to participate there :)

But bug bounties can never replace the traditional way security testing because of many reasons from Data to NDA….Repeatability to maintainability. My question is...why anyone worry if someone get the low hanging fruits, after all; end of the day the quality of the application matters... if some on find a Unique or great bug. Let him get good rewards J

Rather than this it would be good the discussion goes towards Pros and cons of bug bounty ...mind set... Setting the exception… conclusion..etc.

As per me every on are equal either a script kiddie OR researcher as long he is contributing to pen testing world in his own way…. 

/Manju

ManJAX
9886230099

[fyoorer]

There is a good side to bug bounty programs that more and more people are getting involved in infosec at a very young age. Many people I see who participate in bug bounties are in colleges or just starting their jobs. That is good because they get to know in which field they want to make their careers in. As the greed for money wanes down, they will hopefully start understanding the bigger picture of infosec world and they will still have age in hand to be more creative and do R&D and stuff.

On the other hand, it is creating very poor quality of "Security researchers". The other day I saw a guy reporting "Password auto-complete ON" and getting a reward for it, I was laughing for full 5 minutes :-D (it is a valid finding for a security analysis but still...). 

What I think needs to be done is HoF entries should be limited to good,creative bugs while continuing the monetary rewards for all types of bugs (lame and otherwise). That will keep these bug hunters interested as they will be getting all the $$ they want and it will keep the good ones motivated enough till they get their names on the HoF. 

-Fyoorer

On Friday, April 25, 2014 3:23:33 PM UTC+5:30, Akash Mahajan wrote:

[TAS]

This is purely my opinion and not intended at poking anyone. So no rant please.

Bounties are good. I think the whole idea behind bounties was to crowd
source pen testing. More the people dig, more you can unearth. And
that’s true most of the time. If a client gets a pentest done from
company A and then gets an independent evaluation done from company B,
you are bound to get difference in the results. Pentesting to me is
more of a creative process. And the difference is obvious.

Even if SQL, XSS, CSRF’s were researched by someone else, someone who
finds it for the first time and understands what he is doing is still
his research. Are you saying when you found SQL for the first time you
were not excited! And if you find that today you choose to ignore it.
For the people who fuzz popular software’s, are you
saying that you really research a new attack technique and coded a
fuzzer to look for the new attack. Cmon, you still look for the same
overflows, ASLR, DEP by pass etc. etc. which someone else researched.
You just apply that research in your work. So why only researching
absolutely new stuff is talked about. Though it is good, and if you do
you will always be attributed for discovering or may be even inventing
it. And that is sort of sense of accomplishment on what you have
researched and eventually mastered the art of it. Research is a broad
term.

Doing a full fledge pentest is far more comprehensive than just poking
at bugs in popular websites for $$$ or fame. Money motivates majority
of the masses. The only downside that I see to bug bounties is people
have started honing their skills for finding only bugs and not being a
comprehensive pentester. And that should be a bigger concern in my
opinion.

If people start using bug bounties as platform, to fast learn the art
of pentesting and also get paid for it, there is nothing like it. But
they should move on to become more skilled and do your job more
comprehensively. And why only look for bugs, for me it is a good
platform to learn how most popular websites implement security in
their website. The learning curve is really high.


-
TAS
http://twitter.com/p0wnsauc3

[Anil Aphale]

@TAS:  Agree to your point... here fuzzing or writing traditional DEP/ASLR bypassed exploit is not research... finding new way to do it is the research...

 

lets say bypassing DEP/ASLR without memory leak/disclosure is research because you found a new way to do it....

let take this in web app sec way as many people here might now be well versed with memory corruption bug...

Finding XSS, SQLi is not research.. instead bypassing WAF, SQLi, XSS filters will be research... find new payloads which can bypass some filters added to prevent them  

[webDEViL]

No, seriously, TAS didn't compare those...did he?
In simple terms, the basic difference here is 2+2 vs Integration/Differentiation. Your choice on what you think is difficult.

[Rahul Sasi]

"In simple terms, the basic difference here is 2+2 vs Integration/Differentiation. Your choice on what you think is difficult."

I think everyones choice is same here Integration/Differentiation is hard , bad choice of example W3bdevil :D .

I don't think there needs to be a bias how big or small the bug is based on how hard is it to understand, as long as it can cause damage to products and companies then it should be rated high. For example an xss filter bypass escaping pgp htmlencode() function is as critical as a new ASLR/Dep bypass for me. 

[webDEViL]

Lol. Everyone was meant to choose that.

[Abhisek Datta]

After what happened to last pwn2own and more recently with OpenSSL, I wonder with so much investments in security, are we getting anywhere?

Sure, we increased the barrier of entry, sure we made breaking in difficult for the weekend enthusiasts, but are those who really care about security feel more secure?

Bug bounties - It's definitely a great idea to get rid of shallow bugs (not considering Linus' law) at a much lesser cost. Even high end penetration testing doesn't guarantee about coverage so I guess bug bounties and conventional penetration testing complements each other rather than being comparable.

Regards,
-abhisek

[sandesh anand]

We are taking bounties too seriously. They are fun and useful to get some cash and bragging rights. Kind of like selling cool domain names in the 90s. People would buy common domain names for a low cost and sell it for high price a few years later. At some point, selling domain names stopped being profitable (mostly cos all the "cool" domains were taken). Similarly, bug bounties will have a natural death in a few years. Till then, it's a cool way to make some cash on the side for bounty hunters (as someone mentioned, they are not "researchers". Nothing wrong with that thought). For the companies, this is an awesome attempt to encourage security researchers to be responsible. The alternate is us security folk, will find these issues and publish it on blogs. This way, responsible disclosure is encouraged which is great.

As someone mentioned above, a company is doomed if their "AppSec strategy" == "Bug bounty programs". At best, it's a useful addition to the other security initiatives they need to have.

Sandesh

[eQuiNoX]

Just a few thoughts.

Bug bounties are an excellent way of :-

 [1] "crowd-sourcing" security

 [2] Giving people an incentive to report/fix issues

There should be at least 3 major different kinds of bug bounties/competitions involved at present :-

[1] Web-application vulnerabilities

[2] Browser related vulnerabilities

[3] Pwnage Competitions

[4] Improving security in open source applications

There have been arguments that the whole fixing-a-bug-till-no-more-bugs-type-programs[1][2][3] aren't that useful(I partially agree except in the case of programs like pwnium where exploitation methods are shared). At the same time, it does make sense to pay people who find bugs as they might not have an incentive to contribute towards its fix(by reporting it) otherwise.

I personally love the idea of [4] which seems to be designed specifically to meet the above deficiency.

-- eq

[Adee]

"XSS, XSRF, Clickjacking and nothing more and  doing silly Bug bounties and HOF and begging for Rewards/ T-shirts etc...!"

Didn't know when XSS,XSRF clickjacking become a silly bug!! and obviously people in Facebook,Google and other big companies who has bug bounty program, their employee couldn't  find those vulnerabilities even taking handsome salaries. So its fine If someone get his name in HOF or even get a t-shirt. End of the day he had find some vulnerabilities which other couldn't(Hope thats what called research) no matter if it is auto complete enable which rewards him..

Google's definition for research..

research

rɪˈsəːtʃ,ˈriːsəːtʃ/

noun

1. 1.

   the systematic investigation into and study of materials and sources in order to establish facts and reach new conclusions.

   "the group carries out research in geochemistry"

   synonyms:

   investigation, experimentation, testing, exploration, analysis, fact-finding, examination, scrutiny, scrutinization, probing; More

verb

1. 1.

   investigate systematically.

   "she has spent the last five years researching her people's history"

   synonyms:

   investigate, conduct investigations into, study, enquire into, make enquiries into, look into, probe, explore, analyse, examine, scrutinize,inspect, review, assess More

[TAS]

Nope, I did not. I was just trying to put an analogy and I guess, it
was understood well. Rahul said it, find a way to bypass XSS filters
is still a research.
-
TAS
http://twitter.com/p0wnsauc3

[Sandeep Kamble]

bottom line: do what your good at in, get better, have fun and give something back to the world

[chaitany kamble]

And but obvious...  Never do it for free.

Regards,
Chaitany S. Kamble
ControlCase
+919766885994

Sent from my Nexus 5. Pl forgive typos.

[surya subhash]

As joker in batman said .. If your good at something nerver do it for free.. :p

[Sriram Narayanan]

@surya subhash and @chaitany kamble:

When you folks mention "never do it for free", etc, are you talking about a business model?

The various folks conducting top notch humla sessions have been giving away a lot of their time and knowledge for free. What's your take on such people?

More over, how have you been learning? By paying money for books and for sessions? Aren't there any blog posts, IRC or forum discussions, or youtube/securitytube videos that you've seen for free and learned from? What about the null mailing group that you are free members of? Or those null meetups that are free throughout the country?

Please do clarify what you mean by "never do it for free".

-- Ram

--

[webDEViL]

I believe they meant for corporates and not individuals.

[chaitany kamble]

@ram

The thread is about bug bounties so all I would refer here is about that only. Sharing knowledge is a different thing than getting paid for bugs. And why the hell someone will do it for free if there are people willing to pay for it.

Hunt down bugs. Get paid and share that knowledge.... For free ;)

As hackers we believe in free knowledge but I certainly think none here will be freely giving out skills as well.

I assume you will get the point now.

Regards,
Chaitany S. Kamble
ControlCase
+919766885994

Sent from my Nexus 5. Pl forgive typos.

[Dhanesh k]

"And why the hell someone will do it for free if there are people willing to pay for it."

I beg to differ. There are people who submit bugs directly to vendor company even without a bounty, when they should have easily got bounty from ZDI/idefense.

As a matter of fact, bug hunting predates bug bounty. Open source developers and testers have been finding and fixing security vulnerabilities for free. (I am aware of the new initiative for critical systems like apache/openssl/php etc - which is commendable, though I haven't seen any major breakthrough there yet)

I am not against bug bounty, people who are interested, let them do it [Nothing better than some $$$ in hand, make sure you use it wisely, like buying (and not pirating) tools etc]. But don't mock the other guys because most of those people started to bug hunt when many of us are in nappies.

webDEViL:

"I even would want my company to pay me per bug that I find, in all those assessments that I do."

When I am gonna get my Ferrari from showroom, you can drop me there in your Lamborghini. OK? ;)

Regards,
Dhanesh

[surya subhash]

Hey , you know each company has to pay so much to sec engg's or their sec staff .. Or even if they give some sec contract .. But they give very less maybe some 50 % as bounties.. So there is no point in doing it for free. :) if it is sriously a company which cant spend money on security but doing some service to the socity .. We shall do it for free.. As there are some charity bounties too ;)

Cheers.

[ABHAY VAISH]

https://twitter.com/blackswanburst/status/461221286782713856

--

[Rahul Sasi]

This thread was started to understand the communities reaction to bug bounties. Seems a lot of hate for XSS :P , so here is a blog post that explains how attackers were using XSS for hacking your emails. 

http://www.garage4hackers.com/entry.php?b=3069

Regards. 

Rahul Sasi
Info Security Researcher 

07738222968
http://www.linkedin.com/in/fb1h2s

www.garage4hackers.com
www.garage4hackers.com/blog.php?8-Fb1h2s-blog