Publications

Follow us on social media

What is bug bounty?

7 July 2016

Such type of income as search for vulnerabilities for reward has gained considerable popularity recently and has already been allocated in a separate area of employment for information security professionals. More and more companies join such programs named bug bounty. Falcongaze Analytics Center shares how this sphere evolved and how it works now.

What is so attractive about bug bounty programs for companies? The economic factor plays important role. Total cost of bug bounty for an organization will be much less than hiring individual specialists for information security auditing and penetration testing. In addition, such campaign most likely would be more effective. Numerous bug hunters (people searching for vulnerabilities) in the short time will test a service for almost all possible vulnerabilities.

However, along with benefit such programs bring complexity. Reports from bug hunters should be promptly considered and corrected, and in the case of a more or less popular resource amount of alleged vulnerabilities may reach hundreds per day. And one still needs to find among these vulnerabilities the ones that describe the real problems. In addition, bug hunters rarely find critical errors in a service. Most researchers scan a service for the presence of simple and widespread errors in the hope to earn rewards with a minimum of bloodshed, and then go on to the next company. Receiving no response from a company, researchers sometimes spread information about the vulnerability and make it available in the open access. This happened to the social network Facebook.

A researcher from Palestine discovered a vulnerability that allowed anyone to publish anything on the pages of other users, even if they were not in the list of friends. Despite the fact that the researcher notified Whitehat, which deals with error messages on Facebook, about it, the company did not agree the error was a bug. After that, the researcher posted some information about the bug and the situation on the page of Mark Zuckerberg, and the post was visible to everyone. Thus, the vulnerability became known to the public while the researcher did not receive a reward for the detected bug.

Such behavior is not particularly typical for the community of bug hunters, but quick response is still an important factor for bug bounty programs. Long before the prevalence of bug bounty programs within the community of whitehat hackers a kind of code of honor was formed, according to which after finding a vulnerability information about it should be first of all given to a company owning the product where the vulnerability was found. And in general access this information gets after sufficient for fixing this vulnerability time. Bug bounty system works according to the same principles — reports are sent directly to companies, and after fixing a vulnerability a researcher can tell the world about their achievements.

Public search for vulnerabilities brings financial benefits not only to companies, but also to researchers. For experienced professionals bug bounty programs are a good source of profit.

One of the most popular resources using which most companies implement bug bounty system is the HackerOne platform. Currently the platform brings together more than 3000 security professionals across 150 countries. The history of large-scale bug hunting, in the form in which we know it today, with whitehat hackers and the reward program, originates from sponsoring of Internet Bug Bounty by Facebook and Microsoft companies. But if we delve into the history, we will find out that the reward for any found errors had been practiced earlier, just not on a grand scale. One of the first browsers —Netscape Navigator — actually gave the name to such initiatives. Netscape employee in early 1996 noticed that many loyal customers of the company were specialists in various technological fields, and offered to pay them for their participation in the project development. He was also the first to use the phrase bug bounty to describe the process. The first similar to searching for vulnerabilities program can be called the initiative of Donald Knuth, one of the most famous mathematicians and computer scientists of the last century. For each error found in his famous monograph "The Art of Computer Programming", he sent to attentive readers a check for one hexadecimal dollar ($ 2.56).

Not only companies can benefit from bug bounty. Recently it has become known that the United States Department of Defense with the help of vulnerability scan program identified more than a hundred potential gaps in its electronic resources. This is the first initiative of this kind, carried out at the level of the federal government. Over 1400 specialists took part in the Pentagon project. In a statement issued to Reuters, the Secretary of Defense Ashton Carter said the Hack the Pentagon initiative was designed to "strengthen our digital defences and ultimately enhance our national security".