Top
image credit: Pixabay

Let the Hunt Begin! All You Need to Know About Bug Bounty Programs

December 6, 2019

Category:

Google has recently revealed increased payouts to its Android Security Rewards. The company is willing to award up to $1.5 million to hackers who can successfully hack its Titan M security chip, which is used on Pixel devices. Google has already paid out more than $4 million to those who submitted 1,800 vulnerability reports regarding the platform, according to a blog post

In the last years, almost all reputable companies implemented Bug Bounty Programs, with the practice extending to the more conservative state organizations, such as the United States Department of Defense. But what exactly is a Bug Bounty Program and how does it work?

Bug Bounty Basics. What Are They and Why Do They Work?

Every technology organization has a software development life cycle (SDLC), a systematic process for building software that ensures high quality and a safe product. Usually, an SDLC covers requirements, training, design, development, deployment, testing, response, and maintenance. A bug bounty is a reward paid out to developers who find critical flaws in software, across all parts of the SDLC. The bounty ranges from a monetary reward to the symbolic gesture of having one’s name listed in a “hall of fame”, or any combination of the two.

While central to the testing and response phases, bug bounty programs provide important insights across all parts of the SDLC. For example, a bounty program may reveal an opportunity for best practices training to prevent gaps and vulnerabilities from occurring later. 

The implementation depends on the company’s sphere of activity. For example, the Avast bounty program rewards ethical hackers and security researchers to report remote code execution, local privilege escalation, DOS or scanner bypass. On the other hand, Uber’s vulnerability program is primarily focused on protecting the data of users and employees.

Most Common Rules of Responsible Research and Disclosure

Same as in any game, there are some rules for ethical hackers to follow. The most common practice is the so-called “responsible disclosure”, which involves privately notifying affected software vendors or cloud platforms of vulnerabilities. Here are the other golden rules of bug bounty:

The hacker must not break any laws. Testing must not violate any law or disrupt or compromise any data. 

Original and unreported. Vulnerabilities must be original and previously unreported or publicly disclosed. Also, the software must be a current stable release or beta release that is widely used.

All reports must be encrypted. Almost all organizations which are running Bug Bounty Programs require encrypted bug submissions. 

Social engineering and physical security attacks. Microsoft clearly states that submissions that require manipulation of data, network access, or physical attack against the company’s offices or data centers and/or social engineering of our customer support service desk, employees, or contractors are not eligible for bounty awards. 

Individual restrictions. Google is unable to issue rewards to individuals who are on sanctions lists or to residents from countries on sanctions lists (e.g. Cuba, Iran, North Korea, Sudan, and Syria). Moreover, participating developers are responsible for any tax implications, depending on the country of residency and citizenship.

A Short List of Bounty Programs Implemented by Reputable Companies in 2019

Google. The company has recently introduced a top prize of $1 million for a full chain remote code execution exploit with persistence which compromises the Titan M secure element on Pixel devices. But this is not the only program currently running. The company’s Vulnerability Reward Program includes any Google-owned web service that handles reasonably sensitive user data. Services in scope: google.com, youtube.com, blogger.com, Google cloud platform, Google Play, Chrome Web Store, Home, OnHub, Nest.

Facebook. Although there is no upper limit fixed by Facebook for the Payout, the company will pay a minimum of $500 for a disclosed vulnerability. To be eligible for a bounty, anyone can report a security bug on Facebook or one of the following qualifying products or acquisitions in the Facebook family: Instagram, Internet.org/Free Basics, Oculus, Workplace, Open source projects (e.g. osquery), WhatsApp, Portal, FBLite, Express Wi-Fi. 

Microsoft is ready to pay $15,000 for finding critical bugs in its services, with a maximum amount of $250,000. Its current Bug Bounty Program was officially launched in September 2014 and deals only with Online Services. Services in scope include Microsoft Azure, Microsoft Identity, Microsoft Online Services, Microsoft Azure DevOps Services, Microsoft Dynamics 365, Microsoft .NET Core and ASP.NET Core, Microsoft Hyper-V, Office Insider, ElectionGuard, and Microsoft Edge (EdgeHTML) on Windows Insider Preview.

Intel. The company incentivizes security researchers to report security vulnerabilities in Intel products and technologies. To encourage closer collaboration with the security research community on these kinds of issues, Intel created its Bug Bounty Program. Eligible Intel products and technologies: processors, chipsets, FPGA, Networking/Communication, Motherboard/System (e.g., Intel Compute Stick, NUC), Solid State Drives, UEFI BIOS, Intel Management Engine, Baseboard Management Controller, device drivers, and tools. Intel will award bounties ranging from $500 to $100,000, depending on the nature of the vulnerability and quality and content of the report.

Earlier this year, Apple’s head of security engineering and architecture, announced at the Black Hat convention that Apple was expanding its bug bounty program to include all of its major platforms. Apple’s bug bounty program now covers iOS, macOS, watchOS, tvOS, iPadOS, and iCloud, as well as all devices that run these operating systems. The maximum payout for finding a bug has been increased to $1 million. Moreover, the company will pay $100,000 to those who can extract data protected by Apple’s Secure Enclave technology.

Commonly seen as the most effective and inexpensive way to identify vulnerabilities in systems and products, more and more companies are discovering the benefits of Bug Bounty Programs.