Bug hunting for fun and profit (2020 edition)
The need for bounty programs
Bug bounty programs are offered by many websites and organizations these days by which individuals can receive recognition and compensation for reporting bugs, exploits and vulnerabilities.
Financial rewards to those identifying and reporting valid vulnerabilities and exploits can reach tens of thousands of dollars for each vulnerability found. In some cases, professional coders, programmers and experienced QA personnel might leave their day job and focus on independent bug hunting as their main source of income and learning.
From the firms’ side, these programs allow the developers to discover and fix bugs before the general public is aware of them or perhaps even the products are actually launched. The biggest players in tech: Google, Stripe, Yahoo!, Microsoft, and many others, have their own programs. Companies who do not have their own program, often choose to utilize disclosure services to bridge this gap.
SeungJin Lee, head of Graylab security at LINE, shared with us his experience with bug hunting and work processes:
Our CISO team is committed to protecting our customers. As part of this commitment, we invite security researchers to help protect ABN AMRO and its users by proactively identifying security vulnerabilities via our bug bounty program. We work hard every day to maintain and improve our systems and work processes so that our customers can bank safely online at all times. With that being said, should anyone find a weakness in one of our IT systems, we would happily have him join our bug hunting crew
The numbers game
There are two approaches to managing Bug Bounties from the firms’ point of view: some companies choose to self-host their programs, allowing them filter and choose the participants, amounts paid, verification process, etc, while the other type use services of a Bug Bounty Platform to launch and coordinate them.
Bug bounty platforms such as hackenproof or yogosha allow companies looking to use their platform to have a large number of researchers with various backgrounds test their digital assets during a long period of time, greatly reducing the chance that a bug will “slip by”. Companies such as SSD support a dedicated community of security researchers who wish to turn their skills in uncovering security vulnerabilities into a full time career by providing fast, trustworthy feedback and acquires vulnerability even if the vendor does not have a bug bounty program.
Many companies have a mindset of building an ironclad wall around their digital assets, when in fact, no matter how great that security is — sooner or later hackers will find a weak spot and exploit it. The better approach would be to play the numbers game and have various professionals run bug hunts on your product on a regular basis. When it comes to bugs and potential exploits, traditional security consulting companies simply can’t compete with the talent-base that is available to Bug Bounty Platforms.
Joining the hunt
There are two main ways in which a researcher can participate and make money as a freelance bug bounty hunter:
First, you can find and disclose vulnerabilities to specific product vendors. If you possess expertise on a specific OS or hardware, the compensation may be extremely high. For example, in the case of the Android Remote full chain, you can get a couple of Million USD with only one full chain exploit. The downside, is that the patch cycle may be burdensome. Some companies do not handle this very well when approached directly and in those cases a third party service (Such as SSD Secure Disclosure) will be needed to reach these vendors.
SeungJin Lee explained this in depth:
Well-priced gray markets commonly pay the promised balance after a product has been delivered to buyers, at least for a certain period of time. For example, if a bug is patched in a month, you can end up receiving less than a quarter of the original price. Therefore, it is important that your bugs survive long. If you can find a bug that others cannot find, or if you have the ability to find bugs very often, you’re on the right track. You can earn more than $5 Million USD a year just by using two Android remote full chains. (In addition, the price of bugs continues to rise year after year.)
The Second method is to find bugs in the service or product of the company running the bug bounty. Compared to the first method, it is relatively stable and easy. Of course, corporate bug bounty won’t get paid if the bug reported has already been reported by someone else. However, there are many more targets that can be attacked, and the difficulty is often lower than that of the first method.
The stress on the patch cycle is greater than you think. This is empirically understood by companies and individuals looking to make a big contribution with bug bounty. Personally, I recommend the first if you have a high stress resistance index, have confidence in your skills, and at the same time pursue adventures in success, otherwise recommend the second.
Oh, of course, the first method is often on the border between illegal and legitimate, so you have to be very careful about this.
Submit the bugs, get paid
As you probably understand by now, Income for bug hunters is not low. In fact, some people earn about $ 1 million a year on corporate bug bounty alone. Luck is important, but it’s possible to reliably get a substantial income, depending on your efforts.
With a wide variety of bug bounty platforms across a number of industries, Web, Mobile, IoT or network hacking, everyone can find their right spot. Most programs will even take care of the paperwork or will have a built-in payment system, automating bounties and payments.
While companies like Apple do not commit to a minimum amount, there were cases where the maximum payout reached millions of dollars. Some researchers prefer to stay anonymous and not be identified by the firms or vendors they found their bugs in, and use disclosure services to act as the middleman. These services are becoming more and more popular as researchers can skip the hassle of contacting the firms, approving their findings and ultimately getting paid.
The high overall revenues and the low risk factor attract researchers from all fields of code to switch to disclosure services, resulting in industry growth and higher payouts for unique findings.
Bug hunts and vulnerability-reporting programs — are critical for any company, especially for those outside the technology industry. Companies that do not have the technical abilities to create a bug bounty program from scratch can hire firms that help manage the process using their own platform and stay protected while providing work and challenges to a vast community of white hat hackers, researchers and freelancers.
At SSD, we help security researchers turn their skills in uncovering security vulnerabilities into a career. Designed by researchers, for researchers, SSD provides the fast response and support needed to get zero-day vulnerabilities and disclosures reported to vendors and to get researchers the compensation they deserve. We help researchers get to the bottom of vulnerabilities affecting major operating systems, software or devices.
Visit SSD: https://ssd-disclosure.com/typhooncon
Visit GrayHash: https://grayhash.com/eng/html/Member.html
Join the conversation:
https://twitter.com/SecuriTeam_SSD
https://twitter.com/typhooncon
https://www.facebook.com/typhooncon/
