Bug Bounty 101

Recently I was given the opportunity to speak at NBTCon (No Big Thing Con) held at the Sales Force office in San Francisco. In my talk I explained the basics of bug bounties, some ways to maximize your revenue, and also talked about how to make a productive report. Here’s a summary of the talk (with a little bit of extra info/details) and links to the slides:

Slides in PDF format: http://nahamsec.com/Presentations/NBTCon-December-2014-Slides.pdf
Slides on SlidesShare: http://www.slideshare.net/BehrouzSadeghipour/nbt-con-december2014slides-42589511

Bug Bounty 101

Why bug bounties?

For researchers:

    • Chances of finding vulnerabilities worthy to put on your resume.
    • Finding jobs in the industry.
    • Make some money while in college (like myself).

For Companies:

    • Hopefully less security breaches.
    • More better and secure apps.
    • Access to thousands of researchers around the world.

Popular Programs:

  • Google
    • Min. payout of $1337 on *.google.com
    • Max payout of $20,000
    • More challenging to find critical bugs.
    • Example of a high payout:
      • 10,000 for an XXE by Detectify.
  • Yahoo
    • Min. payout of $50 (Recently changed from $250 to $50)
    • Max payout of $15,000
    • Example of highest payout:
      • SQL Injection escalated to Remote Command Execution in Flickr worth $15,000.
  • Facebook:
    • Min. payout of $500.
    • Max payout is told to be a million if a bug is found that’s actually worth that much
    • Example of highest payout:
      • $33,500 for a Remote Command Execution
  • More Programs?
    • GitHub
    • PayPal/Magento
    • Twitter
    • Square
    • cPanel
    • https://bugcrowd.com/list-of-bug-bounty-programs

Popular Platform:

  • Bugcrowd:
    • Managed or unmanaged programs for companies.
    • 13,000+ researchers.
    • 150+ bounties
    • 30,000+ submissions.
    • Max single payout of $13,000 to a researcher
  • CrowdCurity
    • Not a whole lot of public data posted online.
    • ~1500 researchers.
    • Focused on Web Apps with a greater focus on BitCoin services.
  • Synack
    • Private community
    • They do not talk about their researchers or customers.
    • Researchers are required to pass a test in order to be accepted to the Red team.
    • Offering programs on Host infrastructure, mobile application, reverse engineering, hardware, as well as Web Applications.
  • Hackerone
    • More of a security inbox for companies. They are not involved in decisions made by the programs nor manage them for customers.
    • 1000+ hackers thanked.
    • 70+ public programs.
    • $1.5 million in paid bounties.
    • close to 5000 closed and fixed bugs
    • Offers an “Internet Bug Bounty” program where researchers may report bugs on PHP, Ruby, Apache, and many more.

Basics of Bug Bounties:

  • Don’t make any threats to program owners/security analyst if you aren’t happy with the outcome of your report.
  • Don’st ask or beg for money or “swag”. Just because you reported a vulnerability to a program it doesn’t entitle you to a prize.
  • Don’t compare two different programs:
    • Different programs have different budgets.
    • If you do compare them for a “good cause”, don’t lie about it.
  • DO NOT pentest without permission. It’s not worth it and you it’ll cause you a lot of legalities.
  • Read the program rules:
    • Familiarize yourself with the scope of the program.
    • Some subdomains may or may not be in scope.
    • You may need to register an account and they may have provided the instructions in the program rules.
    • Understand the vulnerability types they accept and pay for.
  • Respect the program’s decisions.
  • Respect other researchers.
  • Quality vs Quantity.
    • You want to have a good reputation!

Quality vs Quantity:

  • Most programs maintain a reputation system:
    • BugCrowd (Accuracy)
    • HackerOne (Reputation)
    • Google
    • Facebook
  • Better reputation has its own perks
    • Private programs.
    • Private events.
  • More doesn’t mean better:

BugCrowd Graph

  • As you can see in above:
    • The blue arrow shows that the researcher in with the blue arrow has close to a 1000 points, but on the accuracy (bottom) graph the it has dropped to almost 30%.
    • The red arrow shows shows that a researcher with close to 500 points has an accuracy of almost 80%.

 Maximizing your payout

  • Don’t doubt yourself.
    • This is just something I have personally experienced. There has been a few times when I have thought somebody else has definitely looked at the same pages/apps and eventually I have found a critical vulnerability and proving myself wrong.
  • Check EVERYTHING.
    • Every parameter.
    • Every post request.
      • There has also been times where I have over looked a request or two, and a few months later I see someone was able to find a good bug in that very same app with the very same requests.
    • User input validation.
      • Forms, searching functionality, or profile pages are the best place to start.
      • Are they using a filter? Can you break it?
    • Don’t go for the low hanging fruits.
      • This was one of the best advice I was given as a researcher. Remember, the higher the severity = higher payouts.
      • You may also find the low severity bugs while looking for more critical ones.
      • Less chances of dupes!

Methodology

Come up with a method to look for bugs:

  • Pick a target.
  • Pick an application or sub domain.
  • Pick a vulnerability type.
  • Focus.
  • Google is there ready to help if needed.
    • Here’s one of my old searches on Google while auditing sub domains of Yahoo (Taiwan in particular) which filters out the sub domains I was not interested in or had already looked at:
      • site:tw.*.yahoo.com -news -sports –
        knowledge -house -travel -money –
        fashion -dictionary -charity -autos –
        emarketing -maps -serviceplus –
        screen -tech -mail -talk -bid -uwant –
        stock -mall -buy -myblog -movies –
        games -safely -bigdeals -finance –
        info -mobile -help

Pick up a pattern

  • Look for the same parameter, functionality, file type or file name in
    the same or other subdomains of the website
  • 3 SQL Injection on Yahoo with the help of Google.
    •  Site:hk.*.yahoo.com + inurl:”id” + filetype:html
  • GitHub, Amazon, HackerOne, Google Nest, ZenDesk, Twitch, Shopify, SYNACK were all vulnerable to the same bug:
    • CVE-2014-7829 (see slides for more info)

Making a report

Making a report is one of the most important part of the research. Your report could determine whether you are getting paid $250 or in some cases $2500.

  • Be very specific.
  • Provide step-by-step instructions.
  • Provide an attack scenario.
    • Why is it critical?
    • Are you able to target specific user(s)?
    • Are you able to read private data or server configuration files?
  • Provide screenshots if needed.
  • If you create a video, make it accurate, quick, and professional:
    • Don’t put loud music in the background.
  • Check slides for examples of good vs bad reports.

Public Disclosure

This could be done differently depending on the program:

  • HackerOne – You can simply “request disclosure”. In some cases it may take up to 30 days.
  • BugCrowd – You can simply ask on your report and receive an answer once it has been reviewed.
  • Programs such as Google, Facebook, PayPal – You can always ask via email.
  • Some programs may deny public disclosure due to sensitive information such as IP addresses, configurations, and etc being disclosed.

Future of Bug Bounties

  • Hopefully more and more companies will start participating. Some of the bigger companies are not offering anything in return for pentesting (or don’t even have a program):
    • Amazon
    • Apple
    • eBay
    • Sony
  • More companies will hopefully start to offer bounties and not just a wall of fame.
  • Less free bugs!

Perks from Bug Bounties

  • Connections.
  • Free services from different companies.
  • Job offer(s).
  • Monetary rewards.
  • Gain more experience by challenging yourself.

Resources

Learning from one another is a great tool. You get to see how others are approaching problems and different vulnerability types. You may pick up a few tricks by reading others’ write-ups. Here is a list of few good and active researchers:

  • @Securatary (http://uzbey.com/bbp-funding)
  • @FransRosen (http://detectify.com)
  •  @BitQuark (http://bitquark.co.uk)
  • @Fin1te (http://fin1te.net)
  • @prakharprasad (http://prakharprasad.com)
  • @internetwache (http://en.internetwache.org)
  • @ITSecurityguard (http://blog.it-securityguard.com/)

I would like to thank Marisa Fagan for allowing me to speak at NBTCon, as well as JCran of BugCrowd.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>