“Get a bug if you find a bug”
All there is to know about bug bounty programs.
What is a bug bounty?
A bug bounty is a contest organized by software publishers or technology services companies such as Apple, Facebook, or Google for example, or by specialized companies such as Yes We Hack or Bugcrowd. These companies invite researchers, hackers, and cybersecurity specialists from around the world to help them discover vulnerabilities in all or part of their software. The bonus? A monetary reward, the amount of which varies according to the criticality of the vulnerability found.
Bounty bugs allow us to discover different types of vulnerabilities, including 0-day threats.
When was created the first bug bounty?
The first bounty bug is usually attributed to web pioneer Netscape Communications, which launched its first vulnerability scan program in 1995.
However, TechCrunch* magazine mentions a bounty bug organized in 1983 by Hunter & Ready to search for vulnerabilities in VRTX operating systems. The reward: a Volkswagen Beetles (the famous bug). The slogan: “Get a bug if you find a bug”.
How much are the rewards offered by the bug bounty programs?
Rewards for bug bounty contest can range from a few hundred dollars to a few hundred thousand dollars. Here is the price range given by Google in 2019:
Source: google.com; March 2019
In 2018, Google rewarded 317 specialists (from 78 different countries) for a total of $3.4 million. Of this 3.4 million, the highest individual award was $41,000. Since 2010, when it created its bug bounty program, Google has offered $15 million in rewards for discovering vulnerabilities within its program**.
One can also note the existence of 0-day operating competitions organized on the bangs of hacking conventions, which, when sponsored by major players, attract the best researchers. The objective is to demonstrate live, i.e. in front of an audience, an exploit on dominant technologies such as Microsoft, Google, or Apple. These high-profile events highlight the best companies and researchers in the field worldwide. In particular, they enable the discovery of numerous critical 0-day vulnerabilities.
For example, the 2019 Pwn2own competition at CanSecWest, offered researchers the opportunity to test a Telsa. As a reward, much like the bug example mentioned above, they are offered a Tesla.
Source: thezdi.com; March 2019
Since not all companies can afford to spend large amounts of money on bounty bug programs, internally developed bug bounty is reserved for companies with significant resources. For others, there take other forms.
Apart from the internet giants and big software companies, who are the major players in bounty bugs?
The Yes We Hack organization, created in 2013 “by cybersecurity enthusiasts, all rooted in the community“, claims to be the “first European bug bounty platform“. In concrete terms, Yes We Hack connects companies with its community of researchers, composed of 7,137 experts*** in March 2019.
These companies have the choice between private bug bounty (these remain confidential and only accessible by invitation) and public programs (they are open to all and published on the platform’s website).
Yes We Hack’s public program rewards, again in March 2019, start at $50 and can reach a maximum of $10,000.
Source: yeswehack.com; 2019
In the United States, the HackerOne platform, created in 2012, operates on the same model as Yes We Hack. It connects public and private organizations with its community of ethical hackers, composed of 290,000 experts in 2018. HackerOne has notably worked with Airbnb, General Motors, and the US Department of Defense. Its goal is to “make the Internet more secure“. Since its creation, it claims to have offered 40 million dollars in rewards to its researchers****.
HackerOne and Yes We Hack are not the only platforms of this kind but remain the more famous ones.
Are there bug bounty programs without reward?
The very principle of a bug bounty program is based on the exchange of information for a reward. However, not all researchers and hackers are looking for a financial return. As an illustration, Yes We Hack has also launched the zerodisclo.com platform, a website that allows experts to report vulnerabilities anonymously. These alerts are processed by CERTs (computer emergency response teams), which are responsible for notifying affected companies.
What rules must bug bounty programs’ participants, respect?
Each bug bounty program sets its own rules. More often than not, the criticality of the vulnerability and its scope increase the amount of the rewards. Here is an example of the rules issued by Yes We Hack in March 2019, on one of its programs:
Source: yeswehack.com; March 2019
What is a hall of fame?
A hall of fame highlights the hackers and researchers who have contributed the most and/or found the most critical vulnerabilities.
Santiago Lopez, a 19-year-old Argentinean, was particularly distinguished. He is the first expert to have reached the record figure of one million dollars won on the HackerOne platform. He is responsible for the discovery of 1,670 security flaws, notably impacting Twitter and WordPress****.
These halls of fame give experts access to coveted positions and allow companies to recruit those who are considered the best in their field.
Are bug bounties effective?
There is no doubt about the effectiveness of bug bounty programs, which are still very popular programs among experts and private or public organizations. Both parties are committed to making information systems, software, and the web more secure.
*Sources: techcrunch.com; Hacking the Army; 2017 / ITSP
**Source: lemondeinformatique.fr; $3.4M distributed by Google in 2018 for its bug bounty program; February 2019
***Source: yeswehack.com; March 2019
****Source: hackerone.com; March 2019