BUG BOUNTY PROGRAMS

Finding security flaws faster & cheaper

What is security bug bounty?

To show appreciation for security researchers

worldwide, companies offer a bounty (usuallyworldwide, companies offer a bounty (usually

monetary) for certain qualifying security bugs.

Who is already doing it?

& many more& many more

Why do a BBP?

• To prevent critical bugs being sold on the black

market

• Productive relationship with the community

• Internal bug hunters are limited in number, the• Internal bug hunters are limited in number, the

external ones are virtually unlimited

• It’s the fastest way to secure publicly facing

applications and infrastructure

• Provides security training and awareness for

internal teams

• Recruit talented bug hunters

& many more& many more

Why give budget to a BBP and not

invest in a secure SDLC?

NoNo mattermatter howhow muchmuch thethe companycompany improvesimproves thethe

SDLC,SDLC, securitysecurity bugsbugs willwill occur,occur, mainlymainly becausebecause::

•• 33rdrd partyparty codecode andand servicesservices•• 33 partyparty codecode andand servicesservices

•• SharedShared infrastructureinfrastructure

•• NewNew developersdevelopers

•• TheThe rushrush forfor functionalityfunctionality

Why not just BBP as security?

ApplicationApplication securitysecurity mustmust bebe achievedachieved usingusing allall

meansmeans availableavailable..

SecureSecure SDLCSDLC mustmust includeinclude asas partpart ofof thethe cyclecycle::SecureSecure SDLCSDLC mustmust includeinclude asas partpart ofof thethe cyclecycle::

•• SourceSource codecode auditaudit

•• PenetrationPenetration testingtesting

•• BugBug BountyBounty ProgramProgram

How much have others spent?

22MM$$ inin 44 yearsyears

11MM$$ inin 22 yearsyears

How much should the company spend?

•• StartStart lowlow

•• smallsmall amountsamounts

•• nonnon--monetarymonetary bountiesbounties

•• EstablishEstablish aa leaderleader boardboard // hallhall ofof famefame

•• IfIf budgetbudget isis aa constraint,constraint, establishestablish aa capcap andand restrictrestrict thethe•• IfIf budgetbudget isis aa constraint,constraint, establishestablish aa capcap andand restrictrestrict thethe

limitslimits ofof thethe programprogram (one(one site/application)site/application)

•• ReevaluateReevaluate periodicallyperiodically thethe amountsamounts paidpaid

•• It’sIt’s notnot alwaysalways aboutabout thethe moneymoney thatthat securitysecurity

researchersresearchers areare afterafter (but(but thenthen againagain youyou don’tdon’t wantwant toto

endend upup payingpaying $$1212..5050 forfor aa bugbug likelike YahooYahoo;; inin thisthis casecase

nono bountybounty isis aa betterbetter option)option)

Who is doing it?

•• SecuritySecurity researchesresearches doingdoing thisthis forfor aa livingliving

•• HobbyistHobbyist

WhatWhat kindkind ofof personspersons areare doingdoing this?this?

•• HobbyistHobbyist

WhyWhy areare theythey doingdoing this?this?

•• MoneyMoney

•• LeaderboardsLeaderboards

•• HireHire opportunitiesopportunities

•• ChallengesChallenges // FunFun

Lesson learned from other BBP

TheThe leaderleader boardsboards areare constantlyconstantly changingchanging.. SomeSome

peoplepeople gogo outout andand trytry thethe samesame techniquetechnique untiluntil

theythey drydry outout.. NewNew peoplepeople comecome withwith newnew ideas,ideas,theythey drydry outout.. NewNew peoplepeople comecome withwith newnew ideas,ideas,

keepingkeeping thethe scenescene interestinginteresting..

WhenWhen itit comescomes toto securitysecurity research,research, thethe InternetInternet isis

anan endlessendless poolpool ofof freshfresh ideasideas..

Google’s reward matrix

accounts.google.com Other highly

sensitive services

[1]

Normal Google

applications

Non-integrated

acquisitions and

other lower priority

sites [2]

Remote code

execution$20,000 $20,000 $20,000 $1,337 - $5,000

SQL injection or $10,000 $10,000 $10,000 $1,337 - $5,000SQL injection or

equivalent$10,000 $10,000 $10,000 $1,337 - $5,000

Significant

authentication

bypass or

information

leak

$10,000 $7,500 $5,000 $500

Typical XSS $7,500 $5,000 $3,133.7 $100

XSRF, XSSI and

other common

web flaws

$500 - $3,133.7 $500 - $1,337 $500 $100

Black market prices

Short term actions

•• ElaborateElaborate andand publishpublish aa ResponsibleResponsible DisclosureDisclosure

PolicyPolicy

•• EstablishEstablish aa clearclear pointpoint ofof contactcontact forfor reportingreporting•• EstablishEstablish aa clearclear pointpoint ofof contactcontact forfor reportingreporting

(email,(email, webweb form)form)

•• StartStart anan internalinternal BBPBBP forfor employeesemployees

Short term actions

•• GiveGive securitysecurity researchersresearchers creditcredit forfor theirtheir workwork

•• PublishPublish leaderleader boardsboards•• PublishPublish leaderleader boardsboards

•• StartStart anan externalexternal pilotpilot programprogram (limit(limit thethe scopescope

toto oneone site/application)site/application)

Further references

http://vimeo.com/54130349http://vimeo.com/54130349 –– Google, Google, FacebookFacebook and Mozilla BBP and Mozilla BBP managers talking about the subjectmanagers talking about the subject

http://techcrunch.com/2013/08/12/googleshttp://techcrunch.com/2013/08/12/googles--bugbug--bountybounty--programprogram--hashas--nownow--paidpaid--outout--overover--2m2m--upsups--somesome--chromiumchromium--rewardsrewards--toto--5k/5k/ -- how much how much Google & Google & FacebookFacebook have spenthave spent

http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppinghttp://www.forbes.com/sites/andygreenberg/2012/03/23/shopping--forfor--zerozero--daysdays--anan--priceprice--listlist--forfor--hackershackers--secretsecret--softwaresoftware--exploits/exploits/ -- black black market pricesmarket prices

http://www.google.com/about/appsecurity/rewardhttp://www.google.com/about/appsecurity/reward--program/program/ -- Google bug Google bug bounty programbounty program

https://www.facebook.com/whitehathttps://www.facebook.com/whitehat –– FacebookFacebook bug bounty programbug bounty program

danvasile@pentest.rodanvasile@pentest.ro

http://www.pentest.rohttp://www.pentest.ro