Bug Bounty – Search for vulnerabilities!

Bug Bounty – Search for vulnerabilities!

Many companies and platform operators are concerned about finding security holes – but a suitable tool has been around for a long time: Bug Bounty Programme & Vulnerability Assessments. No matter whether it is an online platform or any other digital product. A bug bounty program serves to motivate people to search for software vulnerabilities and report them to the company in question instead of exploiting or selling them. The company affected by the vulnerability pays a “bounty” for this. This can be expensive, of course, depending on the amount of money paid out.

Often the rewards for finding a vulnerability range from USD 1,000 – 200,000. Also the finding of small security holes or information leaks is rewarded. Usually you will receive at least 50 USD. A regular audit by the security community is a good way to find and fix vulnerabilities. Bug bounty programs are firmly established. So there are always hints in the guidelines about what is paid for and what is not.

Bug bounty programs can be run on various platforms.

The Bug Bounty Programs of HackerOne and Bugcrowd have been established platforms for the detection of security vulnerabilities by the community for years. However, before a product runs through a program, a Vulnerability Assessment should have taken place. This usually reveals as many vulnerabilities as possible – without ultimately stealing data. The vulnerabilities are then weighted according to the potential risk.

Vulerability Assessment von RISKREX
The results of a vulnerability assessment of technical and human vulnerabilities (Source: Screenshot RISKREX)

Pentest and Bug Bounty – what is the difference?

In a bug bounty program, the scope of the test can be defined and the products can be reviewed by an active community. In contrast to a penetration test, the search for security vulnerabilities is set up within a Bug Bounty Program with a smaller scope. Those who are free to search for security holes have stronger restrictions on what may and may not be done. A pentest, on the other hand, is a targeted attack in which a system release is made beforehand and the company carrying out the test is freed from the “hacker paragraphs“.

Another difference is that Bug Bounty Hunter usually works alone, while the professional execution of a penetration test is performed by a team. Bug Bounty Hunting, however, makes use of the swarm intelligence of the hacker community. Different testers use different, partly self-developed tools. Thus applications are tested from a different perspective. This increases the probability of discovering further security holes. Often automated scanners are used to detect vulnerabilities. However, there is an extensive selection of Hacker Tools.

Bug bounty programs contribute to IT security culture

Headlines about data theft are very common. Vulnerability reporting programs can pre-empt those who exploit the vulnerabilities. Headlines such as:

are just two examples. The Google program is one of the oldest and most successful of its kind. The search engine company has long been one of the companies that pays for the discovery of security holes. In nerd style, Google pays $1,337 for one security hole or another. In 2019, Google paid out a total of 6.5 million USD to security researchers. The highest amount paid out was USD 201,337 and went to Guang Gong of Alpha Lab. Here an exploit chain was discovered on a Google Pixel 3. This could have been used by criminals to execute malicious code on a mobile phone. Every single maliciously exploited vulnerability could have cost this amount – especially if the loss of reputation is taken into account.

Spezifikation vom Google Bug Bounty Programm
Google has been paying for vulnerabilities for a very long time. (Source: Screenshot Bug Bounty Program Google)

For quite some time Apple “only” paid up to 200,000 USD for security holes. On the black market these were often sold for considerably more money. In the meantime the iGroup has adjusted the values. For a “Zero-Click kernel Code execution with persistence and kernel PAC bypass” Apple pays up to 1,000,000 USD. But also Facebook and many other internet companies offer extensive programs to report security holes. In addition to the large American corporations, numerous companies in this country also offer a bug bounty program. One of them is the Telecom.

Auszug Bug Bounty Programm Apple
Apple’s payouts have increased significantly. (Source: Screenshot Bug Bounty Program from Apple)

Looking for, finding and reporting security holes and receiving money for it – hacking as a profession. It is the business model of HackerOne. But the platform does not keep the money for itself. The first hacker has now reached the payout sum of one million dollars and is only 19 years old. It starts with a registration. But the interest in detecting and searching for security holes should be shown. 80% of the registered persons at HackerOne have taught themselves their knowledge autodidactically. New technologies, self-developed frameworks and new trends will also ensure tomorrow that the hackers and IT security specialists on the platform will not run out of jobs.

Headlines were made by a 19-year-old who reported a total of 1,600 security vulnerabilities and thus became a millionaire. At the age of 16 and with the help of online courses, the young man taught himself how to hack and check applications. His “customers” already included Automattic, Verizon and the US government. Through HackerOne, Santiago Lopez had been active since 2015. By the way, the most popular attacks are cross-site scripting (XSS) and SQL injections. At Santiago Lopez everything started with $50 and 16 years. He found a Cross-site Request Forgery gap (CSRF). His biggest reward was $9000, and the company was able to close a server-side Request Forgery (SSRF) gap. Now it took Lopez two years to make the million.

Santiago Lopez. Der erste Hacker auf HackerOne der eine Million Dollar ausgeschüttet bekommen hat. Innerhalb von zwei Jahren. Hacken als Beruf? Das geht - sehr erfolgreich sogar
Santiago Lopez. The first hacker on HackerOne to get paid a million dollars. Within two years. Hacking for a living? It can be done – very successfully even. Source: bleepingcomputer.com

To the gaps already found, another 1674 (!) have been added. In addition to private companies, he has also reported gaps to Twitter, Verizon, HackerOne itself and US authorities – and has collected sums between 50,- and 9000,- dollars for this. With these statistics the autodidact takes second place on the platform. A total of 19 million dollars was paid out to people who perform hacking as a profession – even if only as a sideline. This is shown by the report of HackerOne: most of the registered users work between 1 – 10 hours on and with the platform.

Hacking as a profession brings up to 40x higher salary

The platform does not stop at figures about the users. A total of 300,000 security researchers are registered on the platform. A considerable size – and they are not only inactive. Because these security researchers have reported more than 100,000 valid security breaches. Where do most of them come from? India and USA. But Germany is not left out. Active and successful hackers earn three times the salary of a software developer with their activities on the platform. The full Report can be downloaded here

Ethics plays a relevant role in the amount of the payout.

Even though a security hole is often depicted as a break-in to a house or compared with the theft in retail stores – the comparisons do not really work out that well. However, companies must still be aware of how critical security gaps can be for the business. For example, a hacker attack at VFEmail caused the company to shut down overnight. The other numerous data thefts at Yahoo, Marriot etc. do not need to be explained in detail. Hacking as a profession and earning money with it? Dealers like Zerodium pay considerably more money for various security holes than the manufacturers or developers of the software.

Hacken als Beruf? Ohne Ethik noch erfolgreicher.
Zerodium pays for various security breaches. Hacking for a living? A loophole could lead to wealth. Source: Screenshot Zerodium.com

What are the gaps used for then? The company will of course keep this to itself. In order to use state Trojans successfully, however, it needs such loopholes that the developers or manufacturers of the software have no idea about.

EU starts bug bounty program in the interest of the general public!

The EU has currently launched a pilot project for 14 open source projects. Security researchers can now submit vulnerabilities, which will be evaluated and subsequently paid out. This should make the use of free software more secure and sustainable. The employees of AWARE7 are also active in communities and participate in improving the trustworthiness of digital products. Matteo has been featured in the past at BugCrowd LevelUp 0x03 with a presentation on social engineering.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.