1. www.jaynagarblog.wordpress.com Call: 9601957620
CYBER CELL INTERNSHIP
GURUGRAM
June-July 2017
A RESEARCH REPORT ON
āBUGS BOUNTY ā A STUDYā
Under the supervision
of
Cyber Cell Gurugram, Haryana Police
&
Submitted By
Er.Jay Nagar
2. www.jaynagarblog.wordpress.com Call: 9601957620
Table of Contents
About the Guide .............................................................................................................................. 3
ABSTRACT .................................................................................................................................... 1
1.INTRODUCTION ....................................................................................................................... 1
1.1 What is Bugs-Bounty? .......................................................................................................... 2
2. HOW DOES A āBUGS-BOUNTYā PROGRAM WORK?........................................................ 3
2.1 The process of launching and implementing a bugs-bounty program. ................................. 3
2.2. The process of reporting a bug from a researcherās insight. ................................................ 4
A report or a āPOCā looks similar to this picture-: ..................................................................... 5
3. SCOPE OF BUGS-BOUNTY PROGRAMS IN INDIA. ....................................................... 5
3.0 Indian Firms -:....................................................................................................................... 5
3.1 In Govt. sector -: .................................................................................................................. 6
3.1.1 Programs launched by the U.S.A govt. to secure the govt. domain............................... 7
3.1.2 About āHACK THE PENTAGONā. .............................................................................. 7
3.1.3 What Indian Government can do? ................................................................................. 8
3.1.4 INDIAN RESEARCHERS ............................................................................................ 8
FINDINGS -:............................................................................................................................... 8
4.CONCLUSION ............................................................................................................................ 9
5.REFERENCES.............................................................................................................................
3. www.jaynagarblog.wordpress.com Call: 9601957620
ABSTRACT
The Vulnerability reward program(VRP) or what we formerly know it as āBugs-Bountyā is a new
kind of platform introduced to the Info Sec & tech startup communities, Bugs-Bounty (VRP) is
popular amongst the tech world as of its unique working process by providing an open platform
for both the researchers and companies to explore the vulnerabilities and have a sense of
responsibility towards each other by disclosing it and providing rewards and recognition, The
platform has been widely used by the tech giants and top researchers. The present research report
examines the concepts of āBugs-Bountyā in Indian scenario and a basic introduction of the
concept, followed by the formal description of āBug-Bountyā and then explaining the application
of āBugs-Bountyā in the context of Indian startups and researchers. The report will follow with
explaining the working process of the program and its crucial points such as āPOCā (proof of
concept) and duplicate findings. The report will āconcludeā whether the Bugs-Bounty program is
relevant in the Indian scenario or not.
KEYWORDS: VRP, BUGS-BOUNTY, POC.
1.INTRODUCTION
The growth in the Tech-startups has increased the use of web applications. However, earlier only
a few people were able to understand the technicality of the web-apps but the scenario has changed
totally today. The mass reach of internet has made it easy for todayās tech-savvy generation to
understand the codes and technicality of the apps, and thus resulting in more exploitation of the
web- apps. As the need and functionality of the apps grew over the time so was the exploitation.
Bugs were not reported but were exploited and sold on the dark net. Companies never provided
rewards and recognition to the researchers. Then the term āBugs-Bountyā was introduced and few
platforms came up to the rescue, one of the oldest among them being āhacker oneā a California
based startup. The ideology contained of as a platform for companies to enroll in the program by
signing a basic agreement and for researchers to follow few rules and policies described by the
company.
The program got a boom in the industry as the tech giants such as google and Facebook were
among the initial enrollers to it. However, companies also feared the outbreaks such as āblack hatsā
attacking them from within the crowd and noise and stealing their sensitive data on the name of
Bugs-Bounty. Thus, companies like apple enrolled too late in these kind of programs. But itās clear
that the need of such a platform raised from the booming of internet. These platforms mark the
reputation of Researchers based on their findings and give them frequent rewards and thus the
program was also able to gain popularity within the conferences such as āBlack-hatā conferences
1 | P a g e
4. www.jaynagarblog.wordpress.com Call: 9601957620
and āDefconā etc. The community supported it well but slowly the view is changing because of the
manipulation or monopoly practiced by the companies.
1.1 What is Bugs-Bounty?
A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing
initiative that rewards individuals for discovering and reporting software bugs. Bug bounty
programs are often initiated to supplement internal code audits and penetration tests as part of an
organization's vulnerability management strategy. The original "Bugs Bounty" program was the
creation of Jarrett Ridlinghafer while working at Netscape Communications Corporationas a
technical support Engineer.
Netscape encouraged its employees to push themselves and do whatever it takes to get the job done
and, in late 1995, Jarrett Ridlinghafer was inspired with the idea for, and coined the phrase, 'Bugs
Bounty'. The term āBugs-Bounty in itself is really attractive as to the words and slang. The logo
mainly used in these programs are identical to the under shown image -:
Many software vendors and websites run bug bounty programs, paying out cash rewards to
software security researchers and white hat hackers who report software vulnerabilities that have
the potential to be exploited. The tech leaders in this business model are as follows -:
ā¢ Hackerone.com
ā¢ Bugcrowd.com
ā¢ Cobalt.io
ā¢ Synack.com
ā¢ Bountyfactory.com
ā¢ Zerocopter.com
Not all of these platforms are identical with their models. But ideology behind each of them is the
same related to vulnerability reporting and patching.
2 | P a g e
5. www.jaynagarblog.wordpress.com Call: 9601957620
2. HOW DOES A āBUGS-BOUNTYā PROGRAM WORK?
2.1 The process of launching and implementing a bugs-bounty program.
A bug-bounty program needs a lot of work to be done from the inside of an organization. The
organization needs to implement a strategic plan to execute a successful bug-bounty program. The
company needs to thoroughly study, implement and execute the following steps for a successful
program -:
Establishing program goals and company objectives.
Setting the scope of your program clearly and thoughtfully.
Set the reward range of your program.
Implement internal processes and align expectations between departments.
Launch the program.
Receive bugs from researchers.
Scan bug reports for duplicate vulnerabilities and valid vulnerabilities.
Reward the researchers on the basis of their findings.
Patch the vulnerability with the help of the development team.
Kind of rewards and replies a company gives after receiving the bugs -:
3 | P a g e
6. www.jaynagarblog.wordpress.com Call: 9601957620
2.2. The process ofreporting a bug from a researcherās insight.
A researcher is the most crucial part of a ābug-bountyā program. Researcherās prime role consists
of scanning and pen testing the applications within the guidelines provided by the company and
seeing that in any case they donāt bypass the guidelines. The researcher should report the
vulnerability to the concerned authority under given guidelines with a proper āPOCā (proof of
concept) as to which the company or the client is able to reproduce the vulnerability with the help
of the āPOCā and be able to patch it. A researcher holds certain duty while participating in such a
program as an external tester. The duties a researcher should follow are -:
He/she should perform attacks within the scope of the clientās guidelines.
The report submitted should be in a formal manner.
The āPOCā submitted should be able to regenerate the vulnerability.
He/she should not disclose the bug publicly until the firm allows to do so.
The researcher should not try and perform attacks such as āDdosā etc.
The researchers and companies fall in everlasting disputes on a point so well known to a person
related to the program known as āDuplicateā bug. This everlasting war is always contradictory
as the researchers always argue about the legitimacy of the āDuplicateā findings they are told
to. The main question lies as to why after their report only the company is able to patch the
bug the same or the next day. For instance, researchers even create memes.
4 | P a g e
7. www.jaynagarblog.wordpress.com Call: 9601957620
A report or a āPOCā looks similar to this picture-:
3. SCOPE OF BUGS-BOUNTY PROGRAMS IN INDIA.
3.0 Indian Firms -:
Bug-Bounty is getting popular in India day by day as to increasing number of researchers are
getting the monetary benefit of the program. On the other hand, Indian Firms are still not able to
recognize this as an important aspect but still the top tech startups in India such as-:
Paytm
Ola
Freecharge
Mobivik
Etc. have launched their own bug bounty programs. There is still no platform available to
Indian tech startups to fully trust on as the platforms like hackerone and bugcrowd are all
foreign based companies and cannot be trusted fully, also there is no such awareness campaigns
and initiatives taken in India to teach the āSMEā the importance of cyber security and thus , the
small startups donāt think of a need to enroll in the programs for bug-bounty and launch their
own initiatives thus making our country lack in security in cyber space and thus, resulting in
daily attacks . A pic depicting the Paytmās bug bounty program page -:
5 | P a g e
8. www.jaynagarblog.wordpress.com Call: 9601957620
.
3.1 In Govt. sector -:
In the present case scenario in India not much of the govt. institutions have accepted or
implemented the program of bug-bounty not even that the govt. sites are highly vulnerable.
However, āCERTā has taken an initiative to make the system more reliable and to gain a
researcherās trust by providing a vulnerability reporting platform on itās official site i.e. cert-
in.org.in where after reporting a vulnerability a researcher would be given a letter of appreciation
with official stamps and emblems. Earlier the researchers feared to disclose any vulnerabilities on
the govt. site as they might be charged with a liability for doing so.
A screen shot showing certās site for reporting the vulnerability -:
6 | P a g e
9. www.jaynagarblog.wordpress.com Call: 9601957620
3.1.1 Programs launched by the U.S.A govt. to secure the govt. domain.
The govt. of u.s.a has always been updated on the tech world. Providing top level tech and internet
is not what is all essential, but also a secured database and system is what leaves them invulnerable.
The American servers and sites are found to be very secured and despite it the hackers were able
to bypass them and successfully leaked many of the confidential info. on dark net and public
forums. It was a pain for the American govt. until they launched the bug-bounty program
officially. Many govt. servers and sites were kept at stake for this program. The Air force joined
this initiative, the army also joined this program and the most commendable of all of them was
āhack the pentagonā where the pentagon was pen tested and patched with live testing and patching
and also cash rewards were given to the young researchers. The program not only raised the
security level it also encouraged a feeling of belongingness towards the govt. as the govt. trusted
itās citizens and gave them a platform to legally showcase their skills for saving their own country
from future attacks.
3.1.2 About āHACK THE PENTAGONā.
The U.S. governmentās department of defense (DoD) launched this program with one of its own
countryās platform known as āhackeroneā. The program was a huge success after which the DoD
further released āhack the armyā program on 20th
oct, 2016.The US Department of Defenseās
Defense Digital Service (DDS) team pioneered the Hack the Pentagon bug bounty pilot program
with strong support from Secretary of Defense Ash Carter. The pilot ran from April 18, 2016 until
May 12, 2016 and exceeded all expectations. Hack the Pentagon was the first bug bounty program
in the history of the federal government. The Department of Defense selected HackerOne as its
partner to advise, operate, and execute Hack the Pentagon. On March 31, 2016, interested
participants began registration to compete in the "Hack the Pentagonā pilot challenge. The pilot
program was designed to identify and resolve security vulnerabilities within Defense Department
public facing websites through crowdsourcing security.
7 | P a g e
10. www.jaynagarblog.wordpress.com Call: 9601957620
Some amazing points about the program -:
ā¢ First vulnerability report was reported within 13 minutes of launching the program.
ā¢ 200 reports were received within 6 hours of launch.
ā¢ 1410 researchers registered themselves to participate in the program.
ā¢ A total of $75,000 were given to researchers as bounties.
It is pertinent to mention that the program gained a huge level of popularity and was a success shot
by the DoD of U.S.A, although there was huge risk involved in doing so the government was able
to execute it successfully with few safety measures and policies.
3.1.3 What Indian Government can do?
The decision of implementing and executing such a program will be really hard for the govt. to
take, without proper assistance and platforms to trust on the govt. will not be able to do so as it
will be like a self-harm. However, the government can take guidance from the well-known cyber
experts of our country to plan out such a program for the Indian govt. The govt. should focus on
the cyber researchers budding out in our country and giving their expertise to the foreign firm as
they recognize their talent and pay more. Few steps towards such an initiative will attract the
researchers towards the program and will result in a well-protected cyber space in our country.
3.1.4 INDIAN RESEARCHERS
As we studied above in the research where most of the time India lacked out in its approach to the
bug-bounty program. The scenario is totally different for the researchers of India; they top the
programs for bug-bounties. Tech giants like Facebook has accepted the fact that Indian researchers
top their payout lists on bug bounty programs āSo far in 2016, over 9,000 bug related incidents
have been reported to Facebook. And a total of 149 researchers were paid the sum of $611,741,
with India receiving the highest payout followed by USA and Mexico.ā Meanwhile, the world or
the foreign countries are appreciating and using our researcherās talent our own country is not able
to recognize their real worth. Countries like U.S.A are paying Indian researchers with great
amounts to work with them, uber took six names from India to their top 50 list of researchers. An
Indian Researcher named āAnand prakashā earned around rs.2.2 crores from such programs and
now got a job offer from google, Facebook and other tech giants but he allegedly refused as to he
wanted to open up his own startup.
FINDINGS -:
India has an adequate amount of talent but lacks with platforms.
Indian startups are not serious and aware about the cyber security issue.
Indian government is not proactive regarding the cyber security.
Bug-bounty programs should be introduced more often by the Indian sites.
There is a lack of awareness about such programs in India.
8 | P a g e
11. www.jaynagarblog.wordpress.com Call: 9601957620
4.CONCLUSION
The research has concluded that the bug-bounty program is not only relevant but is a need of an
hour in the current Indian scenario. As, the number of startups in Indian economy is increasing
they are acquiring more cyber space, thus leaving Indian cyber space more vulnerable to the cyber
attackers. The campaign of āDigital-Indiaā shifted the major workforce of government bodies
online. These official sites needs to be tested and supported by such programs.
There is ample amount of talent in our country which needs a platform to showcase their skills and
government and tech startups should take step forward to provide them with adequate recognition
and rewards. Even the most secured countries like U.S.A and Netherlands have their private
programs for bug-bounty. Thus, concluding that the program is relevant in itself and needs just
some policy and frameworks to be mentioned for the researchers. The research marked the
relevancy of the program from the point of view of three main factors of this program.
5.REFERENCES
ā¢ http://whatis.techtarget.com/definition/bug-bounty-program
ā¢ http://www.datacenterjournal.com/bugbounty-programs-hassle/
ā¢ https://www.veracode.com/blog/2016/08/when-bug-bounties-are-counter-productive
ā¢ https://www.htbridge.com/blog/are-bug-bounty-programs-really-working.html
ā¢ https://www.scmagazineuk.com/can-bug-bounties-replace-traditional-web-
security/article/532232/
ā¢ http://www.huffingtonpost.in/2017/03/07/interview-this-indian-hacker-
ā¢ http://www.cert-in.org.in/
ā¢ http://www.huffingtonpost.in/2017/03/28/six-indian-hackers-ubers-top-50-bug-
hunters-list-rewarded-almos_a_22014718/
ā¢ https://www.hackerone.com/resources/hack-the-pentagon