Bug bounty programs have become an invaluable channel for the disclosure and remediation of vulnerabilities, but like any industry, they come with their own set of problems.
Bug bounty platforms, such as those operated by HackerOne and Bugcrowd, work with individual companies to launch and manage programs for external researchers to responsibility report vulnerabilities in software and online services.
It was once common practice that vulnerability reports were made piecemeal; it may have been through a generic email or by telephone, and some organizations would be spooked by bug reports or would respond negatively.
This is still the case in some circles, where fear, a lack of concern, or a lack of education can cause a backlash. Emails sent to DK-Lok by ZDNet warning them of an unsecured server were simply sent to the trash bin (viewable as the server was open). Coalfire researchers were arrested by US law enforcement while conducting a penetration test the court system had requested.
In addition, who could forget Missouri Governor Mike Parson, who branded a journalist a "hacker" for viewing website HTML and reporting a serious data breach impacting the state's educators.
Official bug bounty programs can streamline the process, at least when it comes to typical vulnerability disclosure. However, as shared by White Oak Security Staff Specialist Brett DeWall, there are common problems, in his opinion, that new bug hunters should be aware of.
While penetration testers at the company attempt to disclose bugs, a frequent lack of communication are deemed a "time-consuming process." If the organization doesn't have an established bug bounty project, researchers can find themselves trying multiple channels ranging from LinkedIn and social media to generic email addresses and sales channels.
If a vendor doesn't have responsible disclosure instructions on their website, opening up an initial line of communication can be even more difficult.
"Nowadays, companies are not always receptive to receiving news about security issues with their products or offerings," DeWall says. "Most of the communication results in radio SILENCE…. This can be frustrating from a researcher's standpoint that is trying to relay sensitive information in the most preferred method possible. The biggest takeaway here is to keep trying."
"In scope" and "out of scope" bugs are common features of disclosure processes. For example, organizations may want to know about Remote Code Execution (RCE) vulnerabilities but will not consider issues that may be less severe -- despite their exploitability or real-world impact -- such as unsecured servers, Server-Side Request Forgery (SSRF) or Insecure Direct Object Reference (IDOR) vulnerabilities.
DeWall says that White Oak has run into "multiple" examples of this when SSRF/IDOR bugs are 'out of scope' and, therefore, submissions are not accepted. This could be for many reasons, such as a limited number of staff able to verify reports and the time required to tackle flaws.
"The organization may not have the financial resources to pay the bounties or the number of employees required to keep up with the validation effort. If a high-risk bug is discovered that is "out of scope," is it no longer exploitable? I would still strongly urge organizations who have bug bounty programs to accept (or provide a contact form) for any submissions that are "out of scope.""
According to DeWall, one of the "biggest" frustrations in vulnerability disclosure is not receiving any credit for finding and responsibly reporting a bug.
Whereas researchers want to be acknowledged for their work and may want to be able to list their findings as part of their portfolio, on the flip-side, organizations don't want security flaws found in their products to be public.
If you want to encourage researchers to spend their time on improving the security of your products, a Hall of Fame – which does not have to reveal the technical aspects of vulnerabilities – could be the way forward as a fair compromise.
"Bug bounty hunting or security research is here to stay and won't be stopping anytime soon (or ever)," the researcher noted. "However, the way we handle it can change – the researchers and organizations must work together."
HackerOne has put together an e-book with tips for those interested in becoming involved in bug bounty hunting.
- HackerOne expands Internet Bug Bounty project to tackle open source bugs
- Intel expands Bug Bounty program with 'Project Circuit Breaker' effort
- Coinbase pays out largest bug bounty ever for trading interface flaw
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0