[BreachExchange] The Steady Rise of Bounty Programs, and the Counterpart

[Inga Goddijn]

https://www.riskbasedsecurity.com/2017/07/the-steady-rise-of-bounty-programs-and-the-counterpart/

We have continued to see a steady rise in the acceptance and adoption of
vulnerability bug bounty programs the last several years. Companies like
Microsoft, that many may have forgotten that they once said they would not
pay for vulnerability information seven years ago, have been steadily
expanding their program to pay for more and more vulnerability information
and recently made Edge bounties permanent. Service-oriented companies like
Uber, that rely on a significant amount of user interaction and
transactions via mobile apps, also utilize bounty programs. Surprisingly
many industries, even the U.S. military have entered the bug bounty game,
as the Department of Defense (DoD) announced in 2016 their own
vulnerability bounty program, to be run through HackerOne.

As can sometimes happen with high-profile bug bounty programs such as
United Airlines in 2015, they can come with a bit of drama. The initial
announcement of the DoD program faced some turmoil. According to the DoD’s
own press release, “participants in the bug bounty will be required to
register and submit to a background check prior to any involvement with the
pilot program.” An Ars Technica news article goes on to enumerate more
requirements, citing the HackerOne project for the bounty:

You must have successfully registered as a participant through this
security page.
You must have a US taxpayer identification number and a Social Security
number or an employee identification number and the ability to complete
required verification forms.
You must be eligible to work within the US; meaning you are a US citizen, a
noncitizen national of the US, a lawful permanent resident, or an alien
authorized to work within the US
You must not reside in a country currently under US trade sanctions.
You must not be on the US Department of the Treasury’s Specially Designated
Nationals list [a list of people and organizations identified as being
involved with terrorism, drug trafficking, and other criminal activities].

Interestingly enough, when originally viewing the HackerOne DoD Bounty page
(dead link) after the announcement it showed:

This type of confusion and lack of guidelines can cause a serious lack of
trust among security researchers, who are notoriously paranoid, and often
for good reason. For a program that the DoD describes as “innovative“, the
lack of organization coupled with the registration requirements was
concerning for many.  While the excitement of launching a bug bounty can
lead to rushing implementation, it is very critical to be prepared and have
clear guidelines in place from the very beginning.

To be clear, the page has now been updated and provides the expected
guidelines and other information. Interesting enough there are also some
Response Efficient metrics that are posted publicly on the Hacker One
bounty page. You can see that their average first response is three days,
but it does take approximately four months on average for resolution. The
continued debate on vulnerability disclosure also even exists in the Bug
Bounty world as well.

Over the past few years, almost in-line with the increase in bounty
programs increasing, we’re seeing more open sales of vulnerability
information, as well as the information obtained by using those
vulnerabilities. An article from mid 2016 in The Register cited Dell
SecureWorks research that boiled down hacking activity into a menu-style
offering:

Banking credentials are sold for between 1% and 5% of the account balance.
American Express Cards fetch $30, towards the upper end of prices for
plastic card credentials, which start at $7 and rise depending on the type
of card and the amount of associated data offered for sale.
DDoS (distributed denial of service) attacks can be contracted for as low
as $5 an hour, the same price as remote-access trojans.
Angler exploit kits – a common hacking tool that’s used to sling malware
from compromised or hacker-controlled websites – are licensed from $100.
Crooks are also expanding their offerings with a greater range of products,
including ATM skimming devices for $400 or less.
Hacking a corporate email account costs $500 per mailbox, about four times
the price of hacking into a Gmail or Hotmail account ($123).

Even on social media, users are becoming very open about their hacking
activity. This includes the rather benign poking at notable media
characters like Edward Snowden, and computer security professionals such as
Kevin Mitnick.

The same person, @1×0123 on Twitter (account now suspended, so links are
404 but kept for the record), announced the compromise of naughtyamerica.com
with 150,000 accounts and plaintext passwords, an unnamed nasa.gov system
with remote access, implications that the New York Times web site has an
SQL injection vulnerability, and the Los Angeles Times web site has a
remote vulnerability that allows full access.

If that wasn’t enough, consider this was apparently one person and they
also announced their own exploit market, to “improve safety & security
products”. This comes full circle thinking back to the Department of
Defense’s bounty program announcement, and the likely requirements. The
same person also demonstrated a couple cross-site scripting vulnerabilities
on Pentagon web sites.

Since the initial DoD program, there have been more government bug bounty
programs launched and or expanded. In January 2017, the U.S. Army launched
a bounty and the U.S. Air Force launched a bounty-based contest for a given
period of time. While the Army program seems to be part of the broader Hack
the Pentagon initiative, no signs yet that the Navy, Marines, or Coast
Guard have started a bounty program. Additionally, it is interesting to
note the number of valid reports as compared to the payout for the Hack the
Pentagon bounty:

Out of all the submissions, 138 were found to be “legitimate, unique and
eligible for a bounty,” and resolved according to Defense Secretary Ash
Carter. Those vulnerabilities earned $75,000 in total bounty rewards, paid
promptly by HackerOne at the conclusion of the program.

That means the average payout was $543.48 and the total program payout of
$75,000 was only 0.005% the cost of some military ordinance.

Formal bug bounty programs are largely considered to be on the side of good
and the domain of whitehat hackers, and increasingly considered “worth the
risk”. It is important to note there is also a steady rise in their
counterparts (as always, take commentary on the sales of exploits with a
grain of salt). More exploits, and the fruits of their use, are being sold
on the open or black market to the highest bidder. Every day, RBS hopes
that more data comes to light about these sales, even if in the past.

We have been following the U.S. Government foray into the bug bounty world
closely and have been pleased to see the continued expansion.  It does beg
the question as to how many other countries will view the U.S. results as a
success and also begin to create programs as well.  Recently, the UK
Government announced they were working with Katie Moussouris from Luta
Security on their first vulnerability coordination pilot.

Meanwhile, tracking vulnerabilities and the subsequent data breaches,
continues to prove to be a healthy challenge. There has already been over
10,500 new vulnerabilities and more than 2,200 data breaches reported in
2017. Software vulnerabilities and the ‘businesses’ they create are not
going away anytime in the near future. Organizations of all sizes in all
industries need to address network protections and focus the necessary
resources on vulnerability discovery and remediation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170720/bdbb5c10/attachment.html>