As the moderator of the bug bounty panel during AppSec USA 2017 in Orlando, Florida, I had the pleasure of leading a discussion on bug bounties (obviously), providing a view into how they work, who should consider them, who's involved in the process, and what some of the pros and cons are from both sides of the program: the organization and the security researchers they solicit.
Of course, I didn't do this on my own; the following panelists were by my side to provide their own unique experiences and expertise:
- Cassio Goldschmidt, Stroz Friedberg, an AON company
- Sean Melia, Gotham Digital Science
- Michael Stoker, Baker & McKenzie
- Michael Gallagher, PayPal
A recap and the video are located below. But, before we go there, a few things to set the stage.
For those not familiar with a bug bounty program, here's the Bug Bounty Program definition from Wikipedia:
A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.
Prior to the panel, I did some research and connected with some companies (strangely, not all of them replied - thanks to those that did) to help me do two things: 1) re-confirm my view for how bug bounties fit into the overall application security program, and 2) to provide a brief history of bug bounties.
The application security program information is captured in the recap section located toward the end of this post. The history, along with some interesting facts that were uncovered, are shared following my signature.
History of Bug Bounties and Other Interesting Facts
First payout ever for security research (getting paid to break something)
First software bug bounty
It's fairly well known in the industry that Netscape's public program, which began in 1995, was the "original" bug bounty program. The scope of the program was focused on the new release of its flagship product, Netscape Navigator 2.0.
However, HackerOne shared an operating system bug bounty ad with ... wait for it... a VW bug being offered as the bounty. The researcher could presumably opt for the bug or $1,000, whichever was preferred. The date of the ad is 1983. (Hunter and Ready Inc. - product was VTRX). Perhaps this is the 'real' first one?
A few more along the bug bounty timeline
In 2002, IDefense launched its own bug bounty program - offering $400.
In 2004, Mozilla created a program that is still running today - initial critical bug payouts were $500.
In 2010, Google kick-started their program focused on web apps. They've since expanded the scope to many areas of their portfolio.
Microsoft has multiple programs running, with a relatviely new payout scheme defined where specific Windows 10 vulnerabilities can earn up to $250K.
Samsung recently launched a bug bounty program for their phones, offering a $200k payout possibility, taking the scope to the mobile world.
For more details leading us up to 2015, Cobalt has a nice chart that shows some of these in a timeline.
More than cash: Alternative bounty payouts
- Lufthansa pays bounties in frequent flier Miles & More points. (HackerOne)
- United Airlines also pays bounties in United air miles. (Bugcrowd)
- Cryptocurrency is becoming a hot commodity in the bug bounty community. (Bugcrowd)
- Of course, SWAG, such as t-shirts and other gear, are often always on the list of payment options.
Other notable payouts: Back to the cash!
- 1Password has a top reward of $100K. (Bugcrowd)
- The hacker who reported the Heartbleed and Shellshock vulnerabilities in Bash were awarded $20k and $15k bounties, respectively, and donated the bounties to charity. (HackerOne)
- A private (secret) program with a $250k payout in the works. (Bugcrowd)
It's not just about payouts: It's really about the fix
HackerOne shared with me that Slack responded to a Friday afternoon bug submission with the roll-out of a new fix within 5 hours.
Also flagged by HackerOne, Gartner predicts that 99% of vulnerabilities exploited through 2020 will continue to be known by security and IT professionals for at least one year.
Gartner also predicts that by 2020, 10% of penetration tests will be conducted by machine-learning- (ML-)based smart machines, up from 0% in 2016. Says Eoin Keary, CEO of Edgescan, "In relation to ML, I believe it shall initially be useful for the validation of simple or common vulnerabilities. We are quite a long way from identifying complex vulnerabilities using ML but it shall free us up to focus in more interesting security issues, that's the Edgescan approach to ML which I find is effective and reasonable." Robert Feeney, also from Edgescan presented how to overcome challenges faced when automating app vulnerability scans.
A few more interesting bug bounty facts
In the Hack the Air Force bug bounty program, it took less than a minute for the first valid vulnerability to be reported. (HackerOne)
Slack once paid a bounty of $12.50 for a report that noted that the emoji representing a hamburger actually was a picture of a cheeseburger (or vice versa). The bounty was reportedly set to the average price of a cheeseburger. (HackerOne)
In Hack the Air Force program, the most productive bug hunter was 17-year-old, Jack Cable, who found 30 valid vulnerabilities. (HackerOne)
Is Facebook extending the crowdsourcing model beyond application security?
Quote From Sheryl on Facebook
Sheryl Sandburg posted that Facebook is launching what she refers to as similar programs run in the tech part of the business for their ad platform. There are no mention of payouts nor a formal researcher registration process in the post, but certainly a crowdsourced model for vetting ads for offensive and targeted content where they break Facebook's moral policies is an interesting case.
Here's the Panel Recap and Video
At the end of the live panel, I shared a very quick recap of what was discussed. I've expanded on this a bit with the following points that I believe capture the full essence of what the panel shared. Of course the best way to get the nitty gritty details is to watch the video once it is published. Until then, enjoy this written recap.
- Ensure the company is prepared to employ a bug bounty program before starting one.
- Integrate the bug bounty program into your overall application security program: consider the inclusion of the following: patch management, vulnerability assessments, continuous scanning, penetration testing, red teams, blue teams, static application security testing (SAST), dynamic application security testing (DAST), and runtime application self-protection (RASP).
- Formally tie the bug bounty program into the (secure) software development lifecycle (SSDLC).
- Determine the goals and objectives for the program; define the initial scope.
- Determine the best model and disclosure requirements for the program.
- Ensure the proper stakeholders are involved throughout the company.
- Define the program scope and set expectations for management, development, the research community, and the rest of the stakeholders in the program.
- Establish clear, consistent, and transparent communications.
- Implement the program, measure, and adjust as necessary.