What is a bug bounty? The best definition I could find was from a Daniel Miessler post about security assessment types. He said: "a bug bounty is a type of technical security assessment that leverages crowdsourcing to find vulnerabilities in a system”.
The history of bug bounties is interesting too.
Here are some timeline highlights:
1995: Netscape introduces the first bug bounty program. It offered cash rewards for finding bugs in Netscape Navigator 2.0
2002-2005: Firms Idefense and TippingPoint started so-called middlemen programs. These programs collected vulnerabilities from researchers and connected them to vendors. These programs still exist today
2007: Pwn2Own launched, which is a contest and hunt for bugs during a limited period. It started with a reward of $10,000
2010-present: Google began a bug bounty program for web applications. Other companies like Facebook, Paypal, and others, up until present day, continue to launch programs. Also, during this time, companies like Synack, BugCrowd and Hackerone established what was called bug bounty marketplaces or crowdsourced vulnerability assessments.
So what are bug bounty marketplaces? Here is where the journey started.
BugCrowd was picked as the program to participate in for my investigations. If you read its website, it is the largest crowdsourced cybersecurity program. You start the process by establishing an account agreeing to some legal Terms of Service (TOS) and logging in. Once logged in, you create or document your profile and are allowed to view a dashboard, programs and various portions of the program. The most exciting item to view, when first logging in, is the leaderboard and hall of fame sections. BugCrowd plays to the human/hacker condition of being recognized for what you have accomplished. Its leaderboard is very reminiscent of online game leaderboards where you can view who is the best this month and all time. Participants earn points which are generated by bug reports or reported vulnerabilities.
Initial plans before signing up for any programs was for me to spend some time building a research or lab environment and get some bug hunting practice on vulnerable applications. About four months were spent building a lab and spending time testing vulnerable lab applications. Once comfortable with the bug hunting process, it was time to check out programs. In BugCrowd, there are public facing programs and invite only private programs. Getting started in the public program process involves reviewing the program scope, goals, rules and ratings and rewards.
Before doing any testing, it is essential to take another look at the ‘in scope’ targets. Testing against any targets outside of the scope or connected third parties would result in a violation of the TOS and possibly legal repercussions.
Once you have established what program you plan to participate in, it is time to get testing. BugCrowd program participants (the companies that pay BugCrowd to manage its program) vary and have representation across all verticals.
If you manage to find a bug or flaw in a target, it is time to submit the vulnerability for evaluation. Your submission should contain detailed information about how you discovered the vulnerability, its security impact, how to replicate it and a proof of concept. Don’t forget to include the ‘in scope’ target affected by the vulnerability.
After submitting the vulnerability, it will be evaluated and tested to make sure it is valid. Vulnerability submissions can be rejected, accepted or flagged as a duplicate during the process.
If the vulnerability submission is validated, there are two forms of rewards available in BugCrowd’s program. Kudos points are used to measure the quality, impact, and volume of your submissions. Financial compensation will be rewarded for a validated vulnerability. Each bug bounty program has different financial compensation guidelines and amounts for submissions. (For the purposes of the research, we were not rewarded).