Companies create bug bounties to provide financial incentives to independent bug bounty hunters who discover security vulnerabilities and weaknesses in systems. When bounty hunters report valid bugs, companies pay them for discovering security gaps before bad actors do.
Businesses starting bounty programs must first set the scope and budget for their programs. A scope defines what systems a hacker can test and outlines how a test is conducted. For example, some organizations keep certain domains off-limits or include that testing causes no impact on day-to-day business operations. This allows them to implement security testing without compromising overall organizational efficiencies, productivity, and ultimately, the bottom line.
Once a hacker discovers a bug, they fill out a disclosure report that details exactly what the bug is, how it impacts the application, and what level of severity it ranks. The hacker includes key steps and details to help developers replicate and validate the bug. Once the developers review and confirm the bug, the company pays the bounty to the hacker.
In December of 2020, a hacker discovered a critical vulnerability that allowed unauthorized access into merchant accounts. Because of the bug bounty program, the hacker notified the Shopify team that could patch the bug in time for Christmas Eve, one of the biggest shopping days in e-commerce.
Yelp connects searchers to great local businesses worldwide. Yelp has used HackerOne since 2014 to manage its bounty program. Seeing the value in the hacker community, Yelp has 19 different domains in scope, including everything from mobile apps to email systems. To date, Yelp has used its bug bounty program to fix over 300 vulnerabilities and continues to add new applications and domains to its roadmap.
Traditionally, setting up a bug bounty program required companies to build their communication platform, implement bug tracking systems, and integrate into payment gateways. Now, setting up a bug bounty program is a simple process through HackerOne. The HackerOne platform allows organizations to set their scope, track bug reports, and manage payouts from one location.
A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.
These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse and data breaches. Bug bounty programs have been implemented by a large number of organizations, including Mozilla, Facebook, Yahoo!, Google, Reddit, Square, Microsoft, and the Internet bug bounty.
Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs. The Pentagon's use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy.
Hunter and Ready initiated the first known bug bounty program in 1983 for their Versatile Real-Time Executive operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle (a.k.a. Bug) in return.
In August 2013, a Palestinian computer science student reported a vulnerability that allowed anyone to post a video on an arbitrary Facebook account. According to the email communication between the student and Facebook, he attempted to report the vulnerability using Facebook's bug bounty program but the student was misunderstood by Facebook's engineers. Later he exploited the vulnerability using the Facebook profile of Mark Zuckerberg, resulting into Facebook refusing to pay him a bounty.
In 2016, Uber experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy rather than publish the data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000. Mr. Flynn expressed regret that Uber did not disclose the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to update their bug bounty program policies to, among other things, more thoroughly explain good faith vulnerability research and disclosure.
Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called T-shirt-gate. High-Tech Bridge, a Geneva, Switzerland-based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31 of the same year, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered.
Similarly, when Ecava released the first known bug bounty program for ICS in 2013, they were criticized for offering store credits instead of cash which does not incentivize security researchers. Ecava explained that the program was intended to be initially restrictive and focused on the human safety perspective for the users of IntegraXor SCADA, their ICS software.
In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3,133.70. In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store. Google's Vulnerability Rewards Program now includes vulnerabilities found in Google, Google Cloud, Android, and Chrome products, and rewards up to $31,337.
Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software. In 2017, GitHub and The Ford Foundation sponsored the initiative, which is managed by volunteers including from Uber, Microsoft, Adobe, HackerOne, GitHub, NCC Group, and Signal Sciences. The software covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL, Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.
In March 2016, Peter Cook announced the US federal government's first bug bounty program, the \"Hack the Pentagon\" program. The program ran from April 18 to May 12 and over 1,400 people submitted 138 unique valid reports through HackerOne. In total, the US Department of Defense paid out $71,200.
In 2019, The European Commission announced the EU-FOSSA 2 bug bounty initiative for popular open source projects, including Drupal, Apache Tomcat, VLC, 7-zip and KeePass. The project was co-facilitated by European bug bounty platform Intigriti and HackerOne and resulted in a total of 195 unique and valid vulnerabilities.
Open Bug Bounty is a crowd security bug bounty program established in 2014 that allows individuals to post website and web application security vulnerabilities in the hope of a reward from affected website operators.
On February 19, 2021, HackerOne user Kumar Saurabh reported a critical SSRF vulnerability to us through our bug bounty program. With this vulnerability, an attacker could make an HTTP GET request to internal endpoints within the production environment and read the response. After reproducing the vulnerability, we immediately declared an internal security incident, worked on a quick fix to close the hole, and pushed the fix to production in around eight hours. (We have no reason to believe this vulnerability was ever actively exploited, and no user data was at risk.)
One final caveat is special protocols. If validation only happens for HTTP requests, an attacker can leverage URL schemes such as file://, gopher://, etc. to carry out the exploitation. (Note that some older libraries would follow the HTTP redirection to these special protocols, so only validating the initial request might again be insufficient.)
SSRF has been one of our top concerns after we saw some novel techniques in recent talks. Thanks to the help of security researchers from our bug bounty program, we were able to fix the critical vulnerability detailed here before it could be exploited by bad actors. And in the process of fixing this particular case of SSRF, we used the opportunity to harden our systems more generally, substantially reducing the risk of SSRF going forward.
If being rewarded for finding vulnerabilities excites you, be sure to check out our bug bounty program. And if you want to build innovative products, experiences, and infrastructure, come build the future with us! Visit dropbox.com/jobs to see our open roles, and follow @LifeInsideDropbox on Instagram and Facebook to see what it's like to create a more enlightened way of working. 59ce067264