Bug bounty programs have existed since the 1990s but have grown significantly in recent years. The document summarizes highlights from 2014 reports of major companies' bug bounty programs including Google, Facebook, Microsoft, Github, and Tesla. It also discusses reasons for organizations to start bounty programs, tips for reducing noise, and trends in bug bounty research like researcher demographics.

1. ‹#›
State of Bug Bounty
Leif Dreizler, Sr. Security Engineer
@leifdreizler

2. ‹#›
Things I’ll Cover
oBug Bounty: 👻 🎁🔮
oPro tips, pitfalls, war stories
oQuestions!

3. What’s a bug bounty
program?

4. ‹#›
A Brief History of
Bug Bounty
Programs

5. ‹#›
1995

6. ‹#›
20052002

7. ‹#›
2004

8. ‹#›
2007

9. ‹#›
Big Data Security Metrics
9

10. ‹#›
Highlights from the 2014 Google
o Started in 2010
o In 2014 paid over 200 researchers
o Highest single payout: $150k
o Total payout: $1.5+ million
o Over 500 unique and valid bugs
o Over half of the bugs in Chrome were reported and fixed in
beta or dev builds
src: http://googleonlinesecurity.blogspot.com/2015/01/security-reward-programs-year-in-review.html

11. ‹#›
Google VRP
src: h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts

12. ‹#›

13. ‹#›
Highlights from the 2014 Facebook Report
o Started in 2011
o Currently $500 minimum, no
defined maximum
o 17,011 Submissions
o 61 Eligible bugs were high severity
o 123 Countries (65 Rewarded)
o $1.3 million paid to 321
researchers
Countries with High # of Valid Subs
Valid Bugs Average $
RewardIndia 196 $1,343
Egypt 81 $1,220
USA 61 $2,470
UK 28 $2,768
Philippines 27 $1,093
src: https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than-ever/1026610350686524

14. ‹#›
Microsoft Bounty Expansion
o Started in 2013
o Online services like Azure and 0365 have a
maximum bounty of $15k
o Doubled this during Aug 5 - Oct 5 for auth
vulnerabilities in Windows Live
o “Mitigation Bypass” bounty for novel methods to
bypass paramount OS protections like ASLR and
DEP - $100k
o “Bonus Bounty for Defense” - $50k
src: http://blogs.technet.com/b/msrc/archive/2015/04/22/microsoft-bounty-programs-expansion-azure-and-project-spartan.aspx
src: https://technet.microsoft.com/en-us/security/dn800983

15. ‹#›
Highlights from the 2014 Github Report
o First year of the program
o $200 - $5,000 (doubled for 2015)
o 1,920 Submissions
o 73 Unique Vulnerabilities (57 medium/high)
o 33 Unique Researchers earned a total of
$50,100 for the med/high vulnerabilities
src: h?ps://github.com/blog/1951-github-security-bug-bounty-program-turns-one

16. ‹#›
Tesla Motors
o Began their program with Bugcrowd in 2015
o Includes all Tesla Motors hosts, mobile apps, and any hardware
you’re authorized to test against (don’t hack your neighbors car)
o Initially had an upper end of $1,000
o Increased the upper end to $10k at Black Hat
o Researchers were able to gain access to the Model S
computer system, remotely lock and unlock the car, and apply
the emergency brake if under 5 m.p.h.

17. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

18. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

19. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work
with them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

20. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the
right thing”
oThe program makes a statement
oContinuous testing

21. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

22. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

23. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

24. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

25. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing

26. ‹#›
I’m already doing enough
oRed Team
oScanners
oTraditional Pentests

27. ‹#›
I’m already getting continuous testing from my red team
oBug bounties don’t replace red teams
oThey work in concert, providing a different
perspective
oRed teams have access to privileged information that
may create bias in their testing

28. ‹#›
I’m already getting continuous testing from my red team
oBug bounties don’t replace red teams
oThey work in concert, providing a different
perspective
oRed teams have access to privileged information that
may create bias in their testing

29. ‹#›
I’m already getting continuous testing from a scanner
oThey report false positives
oScanners miss a lot of
vulnerabilities

30. ‹#›
I’m already having my application pen tested
oLimited resources compared to the
crowd
oPaying for time vs. results
oSnapshot in time

31. ‹#›
src: h?ps://github.com/blog/1951-github-security-bug-bounty-program-turns-one
Github Program Lifecycle

32. ‹#›
Community Management
oDeluge of submissions
oTriage and Validation
oResearcher Communication
oResearcher Payment
oRemediation

33. ‹#›
Community Management
oDeluge of submissions
oTriage and Validation
oResearcher Communication
oResearcher Payment
oRemediation

34. ‹#›
Community Management
oDeluge of submissions
oTriage and Validation
oResearcher Communication
oResearcher Payment
oRemediation

35. ‹#›
Program Growth
oIncrease number of researchers
oIncrease scope
oIncrease reward ranges
oIncrease publicity

36. ‹#›
January 2013 - June 2015
State of Bug Bounty
36

37. ‹#›
Areas of Trends:
Types of Programs
Signal to Noise RaSo
Severity of Submissions
Types of Submissions
Researcher Demographics & Behavior
CulminaSon of 2 Years of Bug Bounty Data
37

38. ‹#›
Researchers are measured on the below factors and invited
accordingly…
Quality if a submission is valid and in scope
Impact if a submission is worth your Sme
AcSvity if a researcher is ready to work
Trust
How do researchers join private programs?

39. ‹#›
» Valid
» Fixable
» High-Priority
» Reproducible
» In Scope
NoiseSignal
» Invalid
» Ignored
» Duplicate
» Non-Reproducibl
» Out-of-Scope
Why Invite Only?

40. ‹#›
Program Statistics
o $725k paid to researchers
o 38k submissions
o 8k valid & unique (21%)
o $200 average payout
o 4.39 “big bugs” per program

41. ‹#›
P1 - Critical
Vulnerabilities that cause a privilege
escalation on the platform from
unprivileged to admin, allows remote
code execution, financial theft, etc.
Examples: Vertical Authentication
bypass, SSRF, XXE, SQL injection,
User Authentication bypass
P2 - High
Vulnerabilities that affect the security
of the platform including the
processes it supports.
Examples: Lateral authentication
bypass, Stored XSS, some CSRF
depending on impact
What are big bugs?

42. ‹#›
src: h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
Google VRP

43. ‹#›
43
src: h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts
Google VRP

44. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education

45. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education

46. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education

47. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education

48. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education

49. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education

50. ‹#›
Provide Feedback/Education
o Respond to researchers
o Improve submissions
o Note deficiencies
o Clarify scope
o Training
o Google: Bughunter University
o Facebook: Bounty Hunter’s Guide
o Bugcrowd: Bugcrowd Forum

51. ‹#›
Shaping the Future of Bug Bounty
o Paid Summer Internships
o Guest blog posts
o Bugcrowd Forum
o Training
o https://github.com/jhaddix/tbhm
o https://www.youtube.com/watch?
v=VtFuAH19Qz0
o https://blog.bugcrowd.com/bugcrowds-2015-
guide-hacker-summer-camp/

52. ‹#›
Shaping the Future of Bug Bounty
Bug Bounties as Primary Source of Income
(Researchers with 15+ Valid Submissions)

53. ‹#›
Shaping the Future of Bug Bounty

54. ‹#›
Researcher Statistics
o 20,000 total sign ups
o 90 Countries
o India - 31%
o US - 18%
o UK - 9%
o Highest average payout
o Cyprus - $644
o Switzerland - $512
o Austria - $475

55. ‹#›
Google VRP
55
src: h?ps://sites.google.com/site/bughunteruniversity/behind-the-scenes/charts

56. ‹#›
Submissions: What do they find?

57. ‹#›
Submissions: What do they find?

58. ‹#›
Big Bugs!

59. ‹#›
Cross-domain Information Disclosure
Discovered by Peter Adkins (@Darkarnium)

60. ‹#›
• Clifford’s first private bounty invitation
• Launched at midnight in Philippines
• Found an IDOR à elevation of privilege
• Clifford’s first private bounty invitation
• Launched at midnight in Philippines
• Found an IDOR à elevation of privilege
src: h?ps://www.cliffordtrigo.info/hijacking-smartsheet-accounts/

61. ‹#›
src: h?ps://www.cliffordtrigo.info/hijacking-smartsheet-accounts/

62. ‹#›
src: h?ps://www.cliffordtrigo.info/hijacking-smartsheet-accounts/

63. ‹#›
h?p://nbsriharsha.blogspot.in/2015/07/a-style-of-bypassing-authenScaSon.html
• IDOR à elevation of privilege
1) login to https://service.teslamotors.com/
2) navigate to https://service.teslamotors.com/admin/bulletins
3) now you are admin, you can delete, modify and publish
documents

64. ‹#›
In Summary
o Bug bounty programs have been around for a while
o Managing a bug bounty program can be difficult
o Security-conscious companies keep running them
o More companies are adopting (private) programs
o Researchers are reporting interesting and critical vulnerabilities

65. bugcrowd.comleif@bugcrowd.com921 Front Street
San Francisico, CA
@bugcrowd
QUESTIONS?