Main image of article Hunting (Software) Bugs for Fun and Profit
Large-scale data breaches have skyrocketed over the past few years. In a bid to lock down their infrastructure, some companies have begun crowdsourcing their security—hoping that, with the right incentives, tech-savvy citizens will find critical bugs before the bad guys do. If you’re a security engineer or developer who wants to make some quick cash, keep in mind that these companies’ “bug bounties” pay based on the severity of the discovered vulnerability. “It’s not necessarily that the bug is that much harder to find; it’s just that it’s a very high-impact vulnerability,” said Sam Houston, senior community manager at the crowdsourced cybersecurity company Bugcrowd. Bugcrowd, which manages the bug-bounty process for companies, has awarded over $6 million to security researchers who have found more than 52,000 bugs for hundreds of enterprise organizations. According to its third annual report on the state of the bug bounty program, there has been a 25 percent increase in critical vulnerability submissions over the last year. Larger enterprises likely have the robust security and resources to pay out high bounties. The highest-paying bugs are critical vulnerabilities, defined as “those that cause a privilege escalation from unprivileged to admin, or allow for remote code execution, financial theft, etc.” Bugcrowd’s annual report also states that the average payout across programs and industries is $451—nearly double the average payout in 2015. Hardware/IoT targets (think routers, webcams, and wearables) have a higher average payout ($742) than web targets ($595) and mobile targets ($385). Within mobile, Android vulnerabilities typically account for higher payouts ($411) than iOS flaws ($346). The majority of critical vulnerabilities found are SQL injections, followed by cross-site scripting, cross-site request forgery, and mobile. Some seasoned bug hunters will pick just one company to hack on and dig deep into documentation so they can find vulnerabilities that might elude other security researchers. Others just pick whatever piques their interest that day. “Bug bounties are across all companies and products. We have NETGEAR on Bugcrowd, so you can hack on your router that’s sitting in your living room,” Houston said. “Or if you want to hack on mobile apps that are on your phone, you can look through there. If you have a Tesla, you can hack on their mobile app, or you can even hack on the car. If you just want to hack on websites we have tons of customers that provide those sorts of bounties, too.” The benefit of looking for bug bounties on Bugcrowd is that it can serve as a liaison between security researchers and companies, mediating disputes when necessary. Here are some of the higher-paying bug bounties: Okta: The cloud identity and mobility-management service pays out as much as $15,000 for a full RCE bug (if you can obtain a shell back from their network), and offers $5,000 for working SQL injections, XXE local file reads (read and infiltrate data OOB), or full-privilege escalation within the same organization. It pays out $10,000 for full privilege escalation from one Okta organization to another. Payouts start at $50, and the average payout over the last 12 weeks has been $588.30. NETGEAR: The networking company has a kudos reward program for low-impact vulnerabilities and a cash reward program paying out $150 to $1,200; that number jumps to $10,000 to $15,000 for high-impact vulnerabilities leading to unauthorized access to cloud storage files, live video feeds, or the complete NETGEAR customer database. The average payout over the past 12 weeks has been $1,048.67. Amazon competitor’s average payout is just under $600, but the cash awards range from $1,000 to $15,000, topping out at $8,000 to $15,000 for critical security vulnerabilities. The company is interested in findings related to design or implementation issues that have an impact on its network and users. Tesla: The electric car manufacturer pays $100 to $10,000 for bugs, and as much as $10,000 for command injection, authentication bypass, SQL, and vertical privilege escalation vulnerabilities. The average payout over the past 12 weeks has been $1,143.19. 1Password: The password manager offers awards ranging from $100 to $5,000, and the average payout over the past 12 weeks has been $346.3. There’s a $100,000 payout, too, if you can decrypt a file that’s in their password vault—evidently a company-ending bug.

Private Bug Bounties

Not all companies publicly list their bug bounties on Bugcrowd; private bug bounties are invite-only. Bugcrowd’s team of application security engineers, who are responsible for screening bugs and making sure they’re legitimate, keep an eye out for talented people. After you start submitting bugs, you might pop up on their radar and get invited to private bug bounties: these require an NDA and sometimes even a background check. The vast majority of bug bounties are private, but sometimes Bugcrowd can talk about them. For example, their Super Secret Bug Bounty pays up to $250,000 per bug found in unreleased virtual machine software. If you’re up for the challenge and want to apply, you can send a submission detailing your experience and why you’d be interested in participating.

Self-Hosted Bug Bounties

Some bug bounties are self-hosted. Google, for example, offers payouts ranging from $100 to $100,000 (for participants who can compromise a Chromebook or Chromebox with device persistence in guest mode). There’s also Microsoft, which pays out as much as $250,000; Mozilla, which pays $100 to $5,000 for web and services bugs and $500 to $10,000+ for its client bug bounty; and Facebook, which offers a minimum reward of $500 for issues that qualify for bounties.

Read the Fine Print

Before you get started, closely read any available information about the bug bounty. There are often a lot of details about what is considered a “legitimate” vulnerability, which types of bugs are not included, what type of behavior will disqualify you from receiving a payout, what happens in the event that two security researchers submit the same bug, and other details. If you’d like to take a stab at it, read Bugcrowd’s post on how to get started, and begin looking through their bug bounty list. Happy hunting!