Geekly Articles each Day
📜 ⬆️ ⬇️

Bug Bounty: Earn from the mistakes of others

image


In this article, I will talk about Bug Bounty programs, their pros and cons, and how they make money from it.


First of all, let's define what Bug Bounty is: a program that pays rewards for detecting problems in the security of a company's services and applications. In Russian, this is most appropriately translated as "Hunting for bugs."


Those. This is a set of rules of "interaction" with the information resources of the company. Usually it includes the rules of the program, a list of resources, a description of accepted vulnerabilities, the size of remuneration. In the classic version, this is a description of what can be “broken” and how much the bug hunter will receive for this or that vulnerability.


This is what Bug Bounty looks like outside. What does this give to the company? First of all, the continuous process of "testing for strength": specialists with different levels of knowledge, tools and time zones in the non-stop mode are attacking the company's resources. From the side of the company involved resources for:



Bug Bounty pros and cons


Now let's look at the pros and cons of Bug Bounty programs.


The obvious advantages will be:



The obvious minuses will be:



Often, many bughunters who participate in Bug Bounty programs limit themselves to their "crown" chips, and do not research something else, or vice versa, they put everything under the scanners in the hope of catching at least something. This gives a diverse, but not complete, approach to testing. Also, a huge number of failures of scanner triggerings can overwhelm the development team with unnecessary work (these are additional checks and responses for each report - there can be a lot of them).


Open programs


Most companies are represented at sites - aggregators, such as HackerOne or BugCrowd.


Many Russian companies have opened their own programs, as well as profiles on HackerOne. Among them are companies such as: Yandex, Mail.ru, QiWi, Vkontakte and many others. But what to say, if even the Pentagon has its own Bug Bounty program. (Hacking the Pentagon, getting money and remaining free is like a hacker’s dream, but a harsh reality).


The average payout is from $ 200 to $ 1000, depending on the vulnerability and its location.


Here, for example, the evaluation of the value of detected vulnerabilities in the program “The Hunt for Errors” - Yandex:



The most "expensive mistakes"


During the Bug Bounty programs, many companies have paid a total amount of $ 5 with more or more zeros (only Facebook paid more than $ 5,000,000 rewards), but there were also rewards that were impressive enough. What is most interesting - the bugs were of a cosmic scale, but they were sometimes found almost at random:


The Uruguayan schoolboy, Ezekiel Pereira, stumbled on a bug that brought him $ 10,000 out of boredom. A student who wants to make a career in information security fiddled with Google services, using Burp Suite to substitute the host header in a request to the App Engine server (* .appspot.com). Most of the attempts returned “404”, but one of the internal sites, yaqs.googleplex.com, suddenly revealed a lack of login / password verification and the absence of any hints of protection.

Identify known vulnerability:


The Russian discovered an error in the social network software that, with the help of a special picture, allowed to run arbitrary code on its servers. To do this, it was necessary to take advantage of the vulnerability in the ImageMagick service, designed for rapid scaling and conversion of images in Facebook news, reports Lenta.ru. Leonov accidentally stumbled upon an error while testing a third-party service, studied it and presented all the necessary information to the technical services of Facebook, which eliminated the vulnerability in November 2016. As a result, the social network paid the hacker a reward of 40 thousand dollars. In 2014, Reginaldo Silva, a cybersecurity expert, received a record amount of $ 33,500 from Facebook.

Or the epoch-breaking hacking of Facebook and detecting a backdoor in the system, which brought the researcher $ 10,000: How I hacked Facebook and found someone else's backdoor .


I want to participate, what should I do?


For those who decided to try their skills and capabilities in the search for errors, I can advise a few basic steps that will lead to victory:


Follow the news. The program has been updated - run to check new services. The manufacturer added a new functionality, expanded the old or integrated third-party service? - a great opportunity, especially in a complex infrastructure to make a mistake.


Perseverance. A scrupulous study, do not miss any details. Good practice will periodically compare the results of past checks with the current state of the system.


Search. Seek and find. Most major bugs are found on "not public" subdomains and directories. Here you will find useful tools for identifying subdomains and good dictionary sheets for the brutus of directories and subdomains.


Study. Set aside automatic scanners, sift the web application (and most of the Bug Bounty is connected to the web) like sand through a sieve to search for grains of gold. Here I recommend using Burp Suite or Owasp Zap - there are no better tools. Almost all major victories in bautni are the result of working with these tools (you can see it in almost any public report).


Explore. Download the application for local research, if possible. Read the reports of other participants - it can give food for thought. The same Facebook hacking - many Russian bughunters saw this subdomain, even tried to do something with it - but didn’t screw it up. A good help for this is the resource: The unofficial HackerOne disclosure Timeline


')

Source: https://habr.com/ru/post/335676/

More articles:


All Articles