Security

How to develop a bug bounty program

Vulnerabilities are likely, even in the best software. Creating a bug bounty program is one way to find and fix them faster.

istock9644736medium.jpg
Image: iStock/© Ivonne Wierink-vanWetten

Penetration testers recently found significant vulnerabilities in Uber applications through the company's public bug bounty program, which encourages people to search for and report critical and significant vulnerabilities.

Eight bugs were uncovered over three weeks by a Portugal-based team. One flaw they found allowed them to download individual drivers' and passengers' travel histories. They also discovered a voucher for a $100 emergency ride that Uber didn't know about. Other security flaws allowed the testers to get invite codes via riders.uber.com, and get drivers' private email addresses.

The concept of rewarding people for finding flaws which might then be publicized may sound crazy. But ask yourself this: who would you rather find out about a disastrous bug in your code — someone working on your behalf, or against you? A bug bounty program can take advantage of crowdsourcing to get results fast, from an array of researchers with different tools and techniques.

"Finding multiple vulnerabilities in a product is not surprising," said Lane Thames, a developer for cybersecurity firm Tripwire. "Developing secure software is difficult, even for seasoned programmers who understand security concepts." Because building bulletproof systems is such a challenge, Thames said more and more companies are opting to implement bug bounty programs:

"Bug bounty programs open the doors and allow ethical hackers an opportunity to put their skills to work for profit. On the flip side, companies minimize their costs because payment for service is only required for those who find vulnerabilities within the scope of the program. At the same time, their products can be made more secure. This is a major win-win for both the ethical hacker and the company sponsoring the bug bounty."

SEE: Ethical hackers: How hiring white hats can help defend your organisation against the bad guys

The profits involved with finding bugs can be significant for hunters. Uber will pay up to $10,000 for any bugs found which might compromise accounts or run malware on one of their production systems. They even have a 'bug bounty "loyalty system" that gives hackers bonuses for repeated bug discoveries in Uber's platform. It's also promised to release a "treasure map" for bug bounty hunters designed to guide them toward potential vulnerabilities in the site—mapping out the company's code to make bug hunting as efficient as possible. There are also bug bounty competitions, like Battlehack 2015, where the winner of the world finals competition got $100,000.

Many famous faces in the tech world utilize the bug bounty concept, including Mozilla, Facebook, Paypal, Google and Microsoft. Even the U.S. Government has joined the parade. Earlier this year, a "Hack the Pentagon" program yielded over $70K in payouts from the U.S. Department of Defense.

You can find a basic public bug bounty list here and a comprehensive one here. You can also check out bug bounty programs devoted to specific programs and languages (such as Flash, Perl, PHP, etc.) here.

Starting a bug bounty program

There's a wealth of information out there on how to become a bug bounty hunter, but it's worth looking at how you might get a bug bounty program for your organization up and running. Here are some things to consider:

  • Specify what constitutes a vulnerability. You don't want intended functions to be misidentified as vulnerabilities (for instance, the ability to retrieve public data from a website which is misconstrued as 'hackable'). Similarly, if you have identified known problems and are working on remediation solutions, you don't want to pay someone to tell you what you already know, so add this to a "known bug" database for researchers to check their findings against. You also should define in advance any known bugs which aren't worth time or effort to resolve or are not a concern, so these aren't submitted for bounties.
  • Set explicit parameters for your bounty program; which domains, IP addresses, applications, or services are in scope (and which are NOT in scope) and what bounty hunters can and cannot do with any exploits they may find. For instance, if they discover it's possible to download or delete private data, stipulate they are not to do so to demonstrate the validity of the vulnerability; this should be conducted by your own security and development team.
  • Identify a sensible bounty amount for vulnerabilities. You want to ensure a reasonable amount is paid out in order to entice bounty hunters, but not break the bank through a plethora of reports of irrelevant or low-risk vulnerabilities. Tie the vulnerability rewards to the risk towards users or systems. The ability to access or remove private data, compromise accounts, or run malicious code should yield bigger payoffs. Ensure your budget can meet the array of bug submissions you may receive and pay fairly so researchers will play fairly.
  • Constitute what level of detail bounty hunters must submit as vulnerability evidence - step-by-step documentation, screenshots, video recordings of activity performed, etc. This helps set the expectations for both sides.
  • Get buy-in from your security team and ensure that intrusion detection or prevention scanners, or any other security measures that send out alerts, are set up not to notify you when the bug bounty program is active. Active logging should still take place as usual, though.
  • Provide steady communication with researchers who partake in your bug bounty program so both sides are kept up-to-date on the latest findings and developments. All researchers should have the same access to one another's bug reports to prevent redundancy.
  • You don't have to go it alone. Hackerone offers a hosted bug bounty platform which you can explore via a free trial. It allows you to define bug parameters, eligibility factors, reward prices and hacker expectations, as well as view results. Cobalt and Bugcrowd are further examples of similar service providers.

Security is a journey, not a destination

Bug bounty programs are just one factor in rooting out and fixing vulnerabilities before the bad guys can exploit them. Just as you can't build a house with only a hammer, you can't fully secure the house with merely a padlock. There's no single solution to help ensure the best possible security; a toolkit of various measures is the best option. Following programming best practices, coding via secure principles, utilizing QA tests to examine new code for flaws or vulnerabilities, leveraging new trends and technologies (as well as being aware of those which may pose security risks), engaging in self-scanning such as penetration testing and implementing bug bounty programs are all essential parts of that toolkit.

Also see:
HummingBad malware infects 10 million Android devices, millions more at risk
Report: New security threats costing businesses $1 million an incident, flash performance suffers
Be on the lookout for keystroke-logging USB chargers
How Adele became the latest celebrity hacking victim

About Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

Editor's Picks

Free Newsletters, In your Inbox