Making Money From Another's Mistakes: Bug Bounty Story
Ruby on Rails creator David Heinemeier Hansson once wrote an article entitled “Bugs are in programs. This is normal . " In the entire history of a person working with software (and not only with him), bugs were inevitable and sometimes costly companion of new and interesting solutions.
Last year, only software failures, recorded in the Software Fail Watch report, cost companies around the world $ 1.7 trillion. Such losses encourage businesses to increase their software testing costs . Companies hire full-time testers and invest more and more money into automated systems.
There is one more direction that companies also do not spare money for - Bug Bounty programs. Large technology corporations - Apple, Facebook, Google - and even government organizations pay rewards to white hackers for finding vulnerabilities in software. We will understand the history of this phenomenon.
')
/ Wikimedia / Alexandre Dulaunoy / CC
The idea of searching for vulnerabilities in security systems appeared long before the first programs were written. In the 19th century, an English company developing door locks offered 200 golden guineas (about $ 20,000 at the current exchange rate) for breaking one of their goods. Then the American inventor Alfred Charles Hobbs (Alfred Charles Hobbs) took the challenge and coped with the task in 25 minutes, receiving an award.
More than 100 years have passed, and the security issues that companies are addressing have moved into the digital space. Software vulnerabilities that ill-wishers can take advantage of have become no less of a problem for business than unreliable door locks.
Presumably, the first incentive program for finding vulnerabilities in IT was an announcement from Hunter & Ready, dating back to 1983. The company developed the real-time operating system VRTX and offered the Volkswagen Beetle bug (“Beetle”) as a reward for the bug found in it. However, the winner could take his prize and money - gave a thousand dollars.
/ Flickr / greg gjerdingen / cc
By the mid-90s , several large hacker attacks had already occurred in the world and a modern IT security industry began to take shape . At the same time, the first web browsers gained popularity - in this niche there was a confrontation between the products of Netscape and Microsoft. The 1995th year was especially successful for the first - the company, taking advantage of its leading position in the market, successfully conducted an IPO . In the same year, Netscape technical support engineer Jarrett Ridlinghafer (Jarrett Ridlinghafer) found that many enthusiastic users were independently searching for bugs in the browser and posting fixes to them on the network. Therefore, Jarrett suggested that management encourage such activities and start paying cash rewards.
And on October 10, 1995, Netscape launched the first Bug Bounty program. They paid to users of the beta version of the Netscape Navigator 2.0 browser, who found vulnerabilities in it and reported this to the company. According to some data , Ridlinhafer was allocated an initial budget of $ 50 thousand. The awards for the program participants were not only money, but also goods from the Netscape store.
The first follower of Netscape in attracting users to search for bugs was iDefense, a security company. In 2002, she launched her Bug Bounty program. The amount of remuneration varied depending on the type of vulnerability, the amount of information provided about it and the user's consent not to disclose information about the bug in the future. It was possible to earn up to $ 500 in one way in this way.
In 2004, the Mozilla community, which was formed by people from Netscape, also launched the Bug Bounty program for the Firefox browser. She was financed by well-known entrepreneur Mark Shuttleworth (Mark Shuttleworth) and software development company Linspire. For the found critical vulnerabilities, participants could receive up to $ 500. And this program is still in effect , but the maximum remuneration over the years has increased 10 times . For 14 years, its participants were paid about $ 3 million.
In one year with Mozilla, the Zero Day Initiative (ZDI) program appeared on the IT security market, which still works. Its creators mediated between the white hacker community and companies that need to find bugs in their software. Three years later, ZDI funded the PWN2OWN competition. Then the hackers had to try to hack two laptops MacBook Pro, since the OS X system was considered more secure than the products of competitors. ZDI agreed to purchase all the discovered vulnerabilities in Mac OS X at a single price - $ 10 thousand.
By the way, Apple at that time did not have its own program for finding bugs. She refused to go for it for almost 10 years. Apple launched Bug Bounty only in 2016 and has become one of the last major technology corporations to offer rewards for finding bugs. But the amount of encouragement turned out to be one of the highest in the market - it reaches $ 200 thousand.
Other large technology companies began launching their initiatives to promote white hackers in the early 2010s. From 2010 to 2017, Google " distributed " $ 3 million to Bug Bounty participants - most of the money was paid for exploits in Chrome and Android. Facebook from 2011 to 2016 paid $ 5 million. Similar initiatives have Microsoft, GitHub, Uber, Sony and others. This list continues to grow, for example, Valve announced this month that it will also pay for the found vulnerabilities.
“White hackers” today, according to the HackerOne bug search platform, earn almost twice as much as their fellow software developers. Although for many vulnerability hunters this activity is a hobby, 12% of them receive $ 20 thousand per year, and 3% - more than $ 100 thousand. Programs from various organizations are listed for their choice: from those already listed by Microsoft and Apple to MIT and Pentagon . Most companies pay with money, but some - with barter, for example, United Airlines awards IB researchers with miles.
The search for vulnerabilities has ceased to be "purely software." After found vulnerabilities in Tesla Model S in 2015, the company Ilona Mask increased the reward for hardware bugs. Microsoft pushed the same situation with the Meltdown and Specter processor vulnerabilities to the same step. The corporation is ready to pay big, by the standards of this industry, money for the found bugs - $ 250 thousand. Intel is also looking for help from bug hunters.
At the same time, the prevalence and availability of hacker programs has formed a separate direction - Bug Bounty as a service. Companies can turn to specialized platforms like the already mentioned HackerOne, as well as Bugcrowd, Synack and Cobalt. These platforms unite hackers and direct their efforts to an authorized attack of someone’s website, application, or service in exchange for a reward. Only HackerOne for 5 years of existence was able to provide its members $ 20 million.
Experience in the security market says that Bug Bounty helps companies save time and money when searching for vulnerabilities. Last year, the Slack corporate messenger team summed up its three-year work with hackers. She said that during this time, $ 210 thousand were paid to those participants who helped make Slack more secure.
In this case, one moment was indicative - a month before the publication of the company's report, one of the IB researchers put the information about the bug he had found in the messenger on the network . Experts responded to the message about the vulnerability after 33 minutes, and after 5 hours they got rid of the bug. The participant of the program received for his find $ 3 thousand.
Another example is the US Department of Defense. HackerOne arranges for it tests for vulnerability , during which hundreds of bugs are detected. According to former Secretary of Defense Ashton Carter, such work would have cost more than $ 1 million if the Ministry relied on itself. For the bugs found, they eventually paid $ 300 thousand.
However, to date, the situation with the programs Bug Bounty is not as rosy as it might seem at first glance. In industry, there are conflicts related to legal issues of “white hacking”. In 2015, Synack security expert Wesley Weinberg discovered a vulnerability through which he gained access to a huge amount of Instagram data: source codes, SSL certificates and private keys, user-uploaded images, etc. Using this vulnerability , you could impersonate any user or employee of the service.
Wesley reported on his find on Facebook, which owns Instagram, counting on a reward. But representatives of the company said that Weinberg went beyond, that is, he had access to personal data of company employees and service users. And this violates the rules of the Bug Bounty company.
For his find, Weinberg was excluded from the program, and his boss, Jay Kaplan, CEO of Synack, received a call from Alex Stamos (Alex Stamos), an information security officer at FB, who threatened to call the police if vulnerabilities will be published.
This incident raises issues of balance, ethics and control over the work of “white hackers”. On the one hand, companies want to solve their security problems, but on the other hand, it is important for them to protect the confidential information of users and employees, without letting IT researchers go too far. Now in the United States approve a bill that allows the US Department of National Security to launch its Bug Bounty program. Perhaps he will establish a general legal framework for the entire market.
In 2017, 94% of the largest public companies from Forbes 2000 did not have channels for reporting vulnerabilities. However, those companies that still have a Bug Bounty program, regularly increase payments to participants. At the same time, separate platforms attract funds from investors . This may indicate that the market is expanding, and it has potential for growth.
/ Flickr / gordon / cc
There are prerequisites for the automation of the work of researchers. Gartner predicts that by 2020, 10% of penetration tests will be conducted using machine learning algorithms (compared to 0% in 2016). This trend is confirmed by investments in automated bug hunting systems. Last year, Microsoft introduced a platform that, using artificial intelligence, identifies vulnerabilities and reports them to developers. Ubisoft has a similar solution for finding bugs in games.
This is consistent with the fact that more and more companies are implementing solutions based on AI in corporate security systems. This approach allows combining the advantages of Bug Bounty programs with confidentiality - the less the human factor affects the process, the lower the probability of information leakage. Therefore, in the future, there may be a redistribution of funding between live and virtual "bug hunters".
Last year, only software failures, recorded in the Software Fail Watch report, cost companies around the world $ 1.7 trillion. Such losses encourage businesses to increase their software testing costs . Companies hire full-time testers and invest more and more money into automated systems.
There is one more direction that companies also do not spare money for - Bug Bounty programs. Large technology corporations - Apple, Facebook, Google - and even government organizations pay rewards to white hackers for finding vulnerabilities in software. We will understand the history of this phenomenon.
')
/ Wikimedia / Alexandre Dulaunoy / CC
A Brief History of Bug Bounty
The idea of searching for vulnerabilities in security systems appeared long before the first programs were written. In the 19th century, an English company developing door locks offered 200 golden guineas (about $ 20,000 at the current exchange rate) for breaking one of their goods. Then the American inventor Alfred Charles Hobbs (Alfred Charles Hobbs) took the challenge and coped with the task in 25 minutes, receiving an award.
More than 100 years have passed, and the security issues that companies are addressing have moved into the digital space. Software vulnerabilities that ill-wishers can take advantage of have become no less of a problem for business than unreliable door locks.
Presumably, the first incentive program for finding vulnerabilities in IT was an announcement from Hunter & Ready, dating back to 1983. The company developed the real-time operating system VRTX and offered the Volkswagen Beetle bug (“Beetle”) as a reward for the bug found in it. However, the winner could take his prize and money - gave a thousand dollars.
/ Flickr / greg gjerdingen / cc
By the mid-90s , several large hacker attacks had already occurred in the world and a modern IT security industry began to take shape . At the same time, the first web browsers gained popularity - in this niche there was a confrontation between the products of Netscape and Microsoft. The 1995th year was especially successful for the first - the company, taking advantage of its leading position in the market, successfully conducted an IPO . In the same year, Netscape technical support engineer Jarrett Ridlinghafer (Jarrett Ridlinghafer) found that many enthusiastic users were independently searching for bugs in the browser and posting fixes to them on the network. Therefore, Jarrett suggested that management encourage such activities and start paying cash rewards.
And on October 10, 1995, Netscape launched the first Bug Bounty program. They paid to users of the beta version of the Netscape Navigator 2.0 browser, who found vulnerabilities in it and reported this to the company. According to some data , Ridlinhafer was allocated an initial budget of $ 50 thousand. The awards for the program participants were not only money, but also goods from the Netscape store.
The first follower of Netscape in attracting users to search for bugs was iDefense, a security company. In 2002, she launched her Bug Bounty program. The amount of remuneration varied depending on the type of vulnerability, the amount of information provided about it and the user's consent not to disclose information about the bug in the future. It was possible to earn up to $ 500 in one way in this way.
In 2004, the Mozilla community, which was formed by people from Netscape, also launched the Bug Bounty program for the Firefox browser. She was financed by well-known entrepreneur Mark Shuttleworth (Mark Shuttleworth) and software development company Linspire. For the found critical vulnerabilities, participants could receive up to $ 500. And this program is still in effect , but the maximum remuneration over the years has increased 10 times . For 14 years, its participants were paid about $ 3 million.
In one year with Mozilla, the Zero Day Initiative (ZDI) program appeared on the IT security market, which still works. Its creators mediated between the white hacker community and companies that need to find bugs in their software. Three years later, ZDI funded the PWN2OWN competition. Then the hackers had to try to hack two laptops MacBook Pro, since the OS X system was considered more secure than the products of competitors. ZDI agreed to purchase all the discovered vulnerabilities in Mac OS X at a single price - $ 10 thousand.
By the way, Apple at that time did not have its own program for finding bugs. She refused to go for it for almost 10 years. Apple launched Bug Bounty only in 2016 and has become one of the last major technology corporations to offer rewards for finding bugs. But the amount of encouragement turned out to be one of the highest in the market - it reaches $ 200 thousand.
Bug Bounty today
Other large technology companies began launching their initiatives to promote white hackers in the early 2010s. From 2010 to 2017, Google " distributed " $ 3 million to Bug Bounty participants - most of the money was paid for exploits in Chrome and Android. Facebook from 2011 to 2016 paid $ 5 million. Similar initiatives have Microsoft, GitHub, Uber, Sony and others. This list continues to grow, for example, Valve announced this month that it will also pay for the found vulnerabilities.
“White hackers” today, according to the HackerOne bug search platform, earn almost twice as much as their fellow software developers. Although for many vulnerability hunters this activity is a hobby, 12% of them receive $ 20 thousand per year, and 3% - more than $ 100 thousand. Programs from various organizations are listed for their choice: from those already listed by Microsoft and Apple to MIT and Pentagon . Most companies pay with money, but some - with barter, for example, United Airlines awards IB researchers with miles.
The search for vulnerabilities has ceased to be "purely software." After found vulnerabilities in Tesla Model S in 2015, the company Ilona Mask increased the reward for hardware bugs. Microsoft pushed the same situation with the Meltdown and Specter processor vulnerabilities to the same step. The corporation is ready to pay big, by the standards of this industry, money for the found bugs - $ 250 thousand. Intel is also looking for help from bug hunters.
At the same time, the prevalence and availability of hacker programs has formed a separate direction - Bug Bounty as a service. Companies can turn to specialized platforms like the already mentioned HackerOne, as well as Bugcrowd, Synack and Cobalt. These platforms unite hackers and direct their efforts to an authorized attack of someone’s website, application, or service in exchange for a reward. Only HackerOne for 5 years of existence was able to provide its members $ 20 million.
Bug Bounty challenges and victories
Experience in the security market says that Bug Bounty helps companies save time and money when searching for vulnerabilities. Last year, the Slack corporate messenger team summed up its three-year work with hackers. She said that during this time, $ 210 thousand were paid to those participants who helped make Slack more secure.
In this case, one moment was indicative - a month before the publication of the company's report, one of the IB researchers put the information about the bug he had found in the messenger on the network . Experts responded to the message about the vulnerability after 33 minutes, and after 5 hours they got rid of the bug. The participant of the program received for his find $ 3 thousand.
Another example is the US Department of Defense. HackerOne arranges for it tests for vulnerability , during which hundreds of bugs are detected. According to former Secretary of Defense Ashton Carter, such work would have cost more than $ 1 million if the Ministry relied on itself. For the bugs found, they eventually paid $ 300 thousand.
However, to date, the situation with the programs Bug Bounty is not as rosy as it might seem at first glance. In industry, there are conflicts related to legal issues of “white hacking”. In 2015, Synack security expert Wesley Weinberg discovered a vulnerability through which he gained access to a huge amount of Instagram data: source codes, SSL certificates and private keys, user-uploaded images, etc. Using this vulnerability , you could impersonate any user or employee of the service.
Wesley reported on his find on Facebook, which owns Instagram, counting on a reward. But representatives of the company said that Weinberg went beyond, that is, he had access to personal data of company employees and service users. And this violates the rules of the Bug Bounty company.
For his find, Weinberg was excluded from the program, and his boss, Jay Kaplan, CEO of Synack, received a call from Alex Stamos (Alex Stamos), an information security officer at FB, who threatened to call the police if vulnerabilities will be published.
This incident raises issues of balance, ethics and control over the work of “white hackers”. On the one hand, companies want to solve their security problems, but on the other hand, it is important for them to protect the confidential information of users and employees, without letting IT researchers go too far. Now in the United States approve a bill that allows the US Department of National Security to launch its Bug Bounty program. Perhaps he will establish a general legal framework for the entire market.
Future bug bounty
In 2017, 94% of the largest public companies from Forbes 2000 did not have channels for reporting vulnerabilities. However, those companies that still have a Bug Bounty program, regularly increase payments to participants. At the same time, separate platforms attract funds from investors . This may indicate that the market is expanding, and it has potential for growth.
/ Flickr / gordon / cc
There are prerequisites for the automation of the work of researchers. Gartner predicts that by 2020, 10% of penetration tests will be conducted using machine learning algorithms (compared to 0% in 2016). This trend is confirmed by investments in automated bug hunting systems. Last year, Microsoft introduced a platform that, using artificial intelligence, identifies vulnerabilities and reports them to developers. Ubisoft has a similar solution for finding bugs in games.
This is consistent with the fact that more and more companies are implementing solutions based on AI in corporate security systems. This approach allows combining the advantages of Bug Bounty programs with confidentiality - the less the human factor affects the process, the lower the probability of information leakage. Therefore, in the future, there may be a redistribution of funding between live and virtual "bug hunters".
Some materials from our corporate blog:
Source: https://habr.com/ru/post/359364/
All Articles