Hunting (Software) Bugs for Fun and Profit
Large-scale data breaches have skyrocketed over the past few years. In a bid to lock down their infrastructure, some companies have begun crowdsourcing their security—hoping that, with the right incentives, tech-savvy citizens will find critical bugs before the bad guys do. If you’re a security engineer or developer who wants to make some quick cash, keep in mind that these companies’ “bug bounties” pay based on the severity of the discovered vulnerability. “It’s not necessarily that the bug is that much harder to find; it’s just that it’s a very high-impact vulnerability,” said Sam Houston, senior community manager at the crowdsourced cybersecurity company Bugcrowd. Bugcrowd, which manages the bug-bounty process for companies, has awarded over $6 million to security researchers who have found more than 52,000 bugs for hundreds of enterprise organizations. According to its third annual report on the state of the bug bounty program, there has been a 25 percent increase in critical vulnerability submissions over the last year. Larger enterprises likely have the robust security and resources to pay out high bounties. The highest-paying bugs are critical vulnerabilities, defined as “those that cause a privilege escalation from unprivileged to admin, or allow for remote code execution, financial theft, etc.” Bugcrowd’s annual report also states that the average payout across programs and industries is $451—nearly double the average payout in 2015. Hardware/IoT targets (think routers, webcams, and wearables) have a higher average payout ($742) than web targets ($595) and mobile targets ($385). Within mobile, Android vulnerabilities typically account for higher payouts ($411) than iOS flaws ($346). The majority of critical vulnerabilities found are SQL injections, followed by cross-site scripting, cross-site request forgery, and mobile. Some seasoned bug hunters will pick just one company to hack on and dig deep into documentation so they can find vulnerabilities that might elude other security researchers. Others just pick whatever piques their interest that day. “Bug bounties are across all companies and products. We have NETGEAR on Bugcrowd, so you can hack on your router that’s sitting in your living room,” Houston said. “Or if you want to hack on mobile apps that are on your phone, you can look through there. If you have a Tesla, you can hack on their mobile app, or you can even hack on the car. If you just want to hack on websites we have tons of customers that provide those sorts of bounties, too.” The benefit of looking for bug bounties on Bugcrowd is that it can serve as a liaison between security researchers and companies, mediating disputes when necessary. Here are some of the higher-paying bug bounties: Okta: The cloud identity and mobility-management service pays out as much as $15,000 for a full RCE bug (if you can obtain a shell back from their network), and offers $5,000 for working SQL injections, XXE local file reads (read and infiltrate data OOB), or full-privilege escalation within the same organization. It pays out $10,000 for full privilege escalation from one Okta organization to another. Payouts start at $50, and the average payout over the last 12 weeks has been $588.30. NETGEAR: The networking company has a kudos reward program for low-impact vulnerabilities and a cash reward program paying out $150 to $1,200; that number jumps to $10,000 to $15,000 for high-impact vulnerabilities leading to unauthorized access to cloud storage files, live video feeds, or the complete NETGEAR customer database. The average payout over the past 12 weeks has been $1,048.67. Jet.com: Amazon competitor Jet.com’s average payout is just under $600, but the cash awards range from $1,000 to $15,000, topping out at $8,000 to $15,000 for critical security vulnerabilities. The company is interested in findings related to design or implementation issues that have an impact on its network and users. Tesla: The electric car manufacturer pays $100 to $10,000 for bugs, and as much as $10,000 for command injection, authentication bypass, SQL, and vertical privilege escalation vulnerabilities. The average payout over the past 12 weeks has been $1,143.19. 1Password: The password manager offers awards ranging from $100 to $5,000, and the average payout over the past 12 weeks has been $346.3. There’s a $100,000 payout, too, if you can decrypt a file that’s in their password vault—evidently a company-ending bug.