What is a bug bounty?
A bug bounty
program is an initiative offered by many companies and websites that rewards individuals for discovering and reporting bugs, specifically exploits and vulnerabilities. Also called a vulnerability rewards program (VRP), this type of exchange provides recognition and compensation to those who discover the bugs, while allowing the organization to resolve the issues before the general public is aware of these issues, therefore preventing widespread abuse.The concept of a bug bounty was originated by Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation who “recognized that Netscape had many enthusiasts and evangelists for their products, some of whom to him seemed even fanatical, particularly for the Mosaic/Netscape/Mozilla browser. He started to investigate the phenomenon in more detail and discovered that many of Netscape's enthusiasts were actually software engineers who were fixing the product's bugs on their own and publishing the fixes or workarounds.” From there, the idea was born and has since been adopted by brands such as Facebook, Yahoo!, Google, and Reddit.Many programs pay out cash rewards to those who find and disclose bugs, but those bug reports must contain enough information for the organization giving the bounty to reproduce and validate the vulnerability. This payment is dependent on the size of the company, the difficulty of the hack, and the potential impact.
Why are bug bounties controversial?
The use of ethical hackers
to hunt bugs has proven very effective in many cases, but some programs are still seen as controversial. Often times, those who sell exploits to unofficial marketplaces where people can buy those exploits for their own use and those who focus on company-sponsored bug bounties, can blur the line of white hat vs black hat.In some cases, organizations offer closed bug bounties that require certain criteria are met in order to participate.“Some companies, notably Microsoft, believe that bounties should only be used to catch bad guys, not to encourage people to find holes. And then there's the issue of double-dipping--the possibility that a hacker might collect a prize for finding a vulnerability, and then sell information on that same exploit to malicious buyers.”That being said, Microsoft believes the philosophy of bug bounty programs boils down to this: “Catching burglars is too hard, so instead let's make sure the house is really secure.” Other organizations may disagree, but the idea is that sharing vulnerabilities is easy to do so, the approach should be to just eliminate the vulnerabilities and the possibility they get abused.
What is an example of a bug bounty program in the news?
In November of 2016, the U.S. Army coordinated with the DDS to launch its first ever bug bounty challenge, which was an unprecedented way for the military branch to expand its security efforts. Characterized as the most ambitious Federal bug bounty program, Hack the Army centered on critical websites.Running from November 30, 2016 until December 21st
of that year, the program was deemed a success with over 370 participants and 416 reports of which 118 were valid. The total bounties paid to hackers were estimated to be around $100K.It should be noted that as a security measure, this program was not open to everyone; it was invite-only, so hackers could be vetted. Any military and government personnel who wanted to participate got automatic entry.
How can I learn bug-hunting techniques?
If you’re starting from scratch but want to become an expert at penetration testing
and bug hunting, you will need to learn the basics. Familiarize yourself with OWASP’s Top 10 vulnerabilities
. Luckily, Cybrary offers some helpful micro courses:
Practicing in a simulated environment is a great way to test your skills and allows you to use various tools and techniques for identifying vulnerable applications. We recommend:
You can also get a lot of great insight from Proof of Concepts. Read what others have discovered in 0P3N
and network with the community
for even more feedback. Those dedicated to learning penetration testing
should actively find information on vulnerabilities and stay updated with cybersecurity news.Olivia Lynch (@Cybrary_Olivia)
is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.