Features of the national hunting for bugs or Bug Bounty in Slavic

Why does the largest mobile operator pay for critical vulnerabilities with 3 months of free Internet, the state airline considers passport data and date of birth not confidential information, and the number 1 delivery service in the country denies data leakage on the screenshots?

Meanwhile, on another continent, the Pentagon collects 1,410 security freelancers and pays $ 75,000 for the vulnerabilities found. The US Department of Defense also launches a reward program and pays more than $ 100,000 for 118 vulnerabilities found (bugs) on all official department sites.
')
In this article, we will look at the specifics of implementing and maintaining one of the most effective measures in the field of security (security) —a bug bounty search and detection program.

---

For a complete understanding of the attitude of domestic companies to security, I will cut out the first paragraph, complementing it with facts and details (proofs):

A recent post about the vulnerability of the airline company UIA and its inadequate reaction, the literal quotation: "the data obtained are not confidential information (such as date of birth and passport data)"

Better, but the same strange situation was with the largest mobile operator Kyivstar, in the summer of 2016. Chief Digital Officer (CDO) Vitaly Sultan said that the company takes security more than seriously and expressed his hopes to publish the conditions of bug bounty for a couple of weeks ... 2 years have passed, and only my old article and attention is in Google (! ) a full report on full disclosure of vulnerability, to which Kyivstar did not even want to respond to the openbugbounty website

Why can't companies and white hackers agree?

Many seemingly large and reputable companies inadequately respond to reports of white hackers, in every possible way trying to save face, even go to outright lies. This is the fear of loss of reputation and not having a clear response plan. As a result, everything turns around what was feared. Yes, all the intrigues and investigations occur in a party of techies, but sooner or later the incident comes out and gets on the pages of business publications, spreading further.

I am sure that all this would not exist, an adequate reaction of the company and a banal gratitude would allow any friction. Let's take a little insight and think why this is happening? From my experience, I will simply give 3 typical concerns regarding the bug bounty program:

1. And why do we need to push hackers to break?

- Many people think that the reward program for the found vulnerabilities is excessive motivation, which attracts unnecessary attention. "Slow and steady, you will continue," they say.

Is this approach "at random" - maybe it will carry it over? Bug Bounty is not only stimulating hackers to find vulnerabilities, but also a tool for managing information security policies. For example, in my practice, the decision to open the bug bounty program was a great counter-strike to the attempt to blackmail and extortion of black hackers.

2. And if hackers do not send us the found vulnerability, but use it for bad purposes ?

- A hacker always has a choice: to report or not to report about a vulnerability. He knows how much money he can officially get. What if he could “earn” many times more with the help of a vulnerability, for example millions of dollars? After all, he can hide the fact of finding the vulnerability, and later, from an anonymous device, act like a black hacker (black hat hacker)?

This is an attempt to hide the hidden or delay the inevitable (probable). What if they don’t find it, what if it resolves itself after the update (update)? To sell or “realize” a vulnerability takes time to plan operations, communications, cash withdrawal and anonymity, and preparation. And in the face of competition with other hackers (bug hunters), only the prospect of losing a legitimate reward to another, more ethical hacker is visible.

3. We have a lot (updates), there will be a lot of software updates, it is planned to add new functionality.

- Why test, what we are most likely to update (update), as well as add additional functionality. The search for bug hunting will be useless work.

This is an eternal repair or eternal construction, at the stage of which all startups are located. If this is not the MVP (beta version of the product) and the product is already being sold, money is being spent on marketing, then the product is already of value to hackers. But hackers, too, understand the logic of decision making in startups, which are often the easiest to crack. Why is money spent on marketing, but not on safety?

And what are the rules of communication between white hackers and the company?

Ultimately, the hackers themselves "open" the reward program in any company they want. And if employees of the organization violate the rules for disclosing vulnerabilities, then there are two outcomes, and both are negative: a prison for the seeker or a shame for the company. There are many examples.

The most revealing - (from recent) - is a series of public revelations called #FuckResponsibleDisclosure. The hacktivists were so saddened by the indifferent and “pofigistic” reaction of the organizations that they resorted to the only way out: to warn everyone publicly about the danger by disclosing full information about the vulnerabilities found.

Could a company’s breach of obligations after Responsible Vulnerability Disclosure entail the right to violate their hacker in response?

The answer to this question are the rules of Coordinated Vulnerability Disclosure. But who has the right to coordinate the disclosure of vulnerability, if the vendor refuses to participate in this process?

Let's just remember the truing truths of bug hunting :

The white hacker has the right to:

• Begin the process of identifying vulnerabilities when detecting its signs.
• Pass the vulnerability information to the responsible person in the company

Not eligible:

• To cause irreparable damage in the process of identifying vulnerabilities.
• Disclose vulnerability to third parties.

Besides:

• There is no obligation to volunteer for commercial companies and help them improve security for free.
• Demanding money or setting any conditions before opening a vulnerability is blackmail.
• Asking for a cash reward before disclosing a vulnerability is not ethical and not white hat hacking.

White hackers do not stop. They will send tech support information about the vulnerabilities that they find. Patiently wait for an answer and explain. Send proof of the existence of vulnerabilities (Proof of Concept) and screenshots from the video. Observe the unspoken principles of disclosing vulnerabilities (resposible disclosure) and publicly disclose vulnerabilities, warning everyone about the dangers of contacting the organization.