What is a bug bounty?
A bug bounty program is an initiative offered by many companies and websites that rewards individuals for discovering and reporting bugs, specifically exploits and vulnerabilities. Also called a vulnerability rewards program (VRP), this type of exchange provides recognition and compensation to those who discover the bugs, while allowing the organization to resolve the issues before the general public is aware of these issues, therefore preventing widespread abuse.
The concept of a bug bounty was originated by Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation who “recognized that Netscape had many enthusiasts and evangelists for their products, some of whom to him seemed even fanatical, particularly for the Mosaic/Netscape/Mozilla browser. He started to investigate the phenomenon in more detail and discovered that many of Netscape’s enthusiasts were actually software engineers who were fixing the product’s bugs on their own and publishing the fixes or workarounds.” From there, the idea was born and has since been adopted by brands such as Facebook, Yahoo!, Google, and Reddit.
Many programs pay out cash rewards to those who find and disclose bugs, but those bug reports must contain enough information for the organization giving the bounty to reproduce and validate the vulnerability. This payment is dependent on the size of the company, the difficulty of the hack, and the potential impact.
Why are bug bounties controversial?
The use of ethical hackers to hunt bugs has proven very effective in many cases, but some programs are still seen as controversial. Often times, those who sell exploits to unofficial marketplaces where people can buy those exploits for their own use and those who focus on company-sponsored bug bounties, can blur the line of white hat vs black hat.
In some cases, organizations offer closed bug bounties that require certain criteria are met in order to participate.
“Some companies, notably Microsoft, believe that bounties should only be used to catch bad guys, not to encourage people to find holes. And then there’s the issue of double-dipping–the possibility that a hacker might collect a prize for finding a vulnerability, and then sell information on that same exploit to malicious buyers.”
That being said, Microsoft believes the philosophy of bug bounty programs boils down to this: “Catching burglars is too hard, so instead let’s make sure the house is really secure.” Other organizations may disagree, but the idea is that sharing vulnerabilities is easy to do so, the approach should be to just eliminate the vulnerabilities and the possibility they get abused.
What is an example of a bug bounty program in the news?
In November of 2016, the U.S. Army coordinated with the DDS to launch its first ever bug bounty challenge, which was an unprecedented way for the military branch to expand its security efforts. Characterized as the most ambitious Federal bug bounty program, Hack the Army centered on critical websites.
Running from November 30, 2016 until December 21st of that year, the program was deemed a success with over 370 participants and 416 reports of which 118 were valid. The total bounties paid to hackers were estimated to be around $100K.
It should be noted that as a security measure, this program was not open to everyone; it was invite-only, so hackers could be vetted. Any military and government personnel who wanted to participate got automatic entry.
How can I learn bug-hunting techniques?
If you’re starting from scratch but want to become an expert at penetration testing and bug hunting, you will need to learn the basics. Familiarize yourself with OWASP’s Top 10 vulnerabilities. Luckily, Cybrary offers some helpful micro courses:
Practicing in a simulated environment is a great way to test your skills and allows you to use various tools and techniques for identifying vulnerable applications. We recommend:
You can also get a lot of great insight from Proof of Concepts. Read what others have discovered in 0P3N and network with the community for even more feedback. Those dedicated to learning penetration testing should actively find information on vulnerabilities and stay updated with cybersecurity news.
No comments:
Post a Comment