Bounty hunters in the law enforcement field are often thought of as these long haired, wild men who will do whatever it takes to track down the person who has run afoul of the law. Bug bounty hunters perhaps have the same passion for tracking down code-based flaws, but you would be hard pressed to pick them out of a lineup.
Instead of tracking down perpetrators, bug bounty hunters are tracking down any vulnerabilities in companies’ sites.
Jonathan Singer, a security engineer
With the headlines of hackers finding vulnerabilities oh so familiar, bug bounty hunters have become a necessity. Just last month Google paid out $75,000 in bug bounties to fix 159 flaws in Chrome. Even Microsoft added a bug bounty program in September, offering to pay the minimum of $500 for bugs found.
While money is a nice incentive (and the bug bounty hunters won’t turn any of it down), they are happy with a pat on the back and some recognition for their work. It’s a way to work legally on a site without fear of being served with a lawsuit.
“It’s not often that you get to hack into live websites without the threat of the law,” said Jonathan Singer, a security engineer in the security consulting business. “I already try to contact companies if it is safe to do so. Responsible disclosure is the best policy, but more places needed to embrace it.”
A bug bounty hunter who gave only his handle, Bitquark, said he enjoys taking advantage of routes through a system which the designer may not have intended or planned for.
“Spending hours picking away at something before finally landing a bug is enormously gratifying.”
The staff information security engineer at Tesla Motors found success in the bug bounty world when he found an SQL injection flaw in Facebook. This find netted him a $15,000 reward. The flaw led to remote code execution in the Oculus developer portal.
The engineer, in his 30's, said he might pick at a project from time to time, but there are others that are timed that might require a more concerted effort.
Singer has been a bug bounty hunter for just over a year.
“It is still a hobby for me, kind of like a weekend warrior gig,” he said. “My 9-to-5 is already spent with compliance and policy, so this is kind of a way to unwind, see what challenges exist and maybe get some swag or cash.”
On a site like Bugcrowd, you can find a list of the open bug bounties along with a rundown of some of the contributors. Companies shown on Bugcrowd include EMC, Google, IBM, Microsoft and Yahoo. Each layout in minute detail what is open to scrutiny on their sites and what are available for rewards. For example, Google lists a $20,000 reward for anyone who can find remote code execution of their accounts.google.com.
For Sebastian Neef, Tim Philipp Schäfers and Julien Ahrens, they collected a five-figure reward for their finding a path traversal vulnerability on PayPal’s main domain. In doing so, they were able to download any file from the server.
Neef and Schäfers founded Internetwach.org in 2012, with Ahrens joining them a year later. When asked if they juggled a family while going to college or holding down a job along with being a bug bounty hunter, they said they are not married “but sometimes a girlfriend makes life more time consuming and we all know family/ girlfriend is more important than bug hunting.”
Neef (21) studies computer science at the technical university in Berlin, while Schäfers (19) also studies economy and computer science at Bielefeld. Ahrens is the old man of the group at the age of 29 and works at secunet Security Networks AG. They got into the bug bounty profession as a side job when they started hearing about the hacker group Anonymous.
“Naturally the media tried to defame all kind of hackers as criminals. It was clear that small mistakes can lead to big data leaks,” they said.
The threesome advise anyone who wants to get into the business to be prepared to think outside of the box and be creative in your approach. They gave the following list of attributes a bug bounty hunter should have:
- Creative: Try to find new ways to bypass/combine/exploit specific situations, to think of new attack-vectors
- Thinking like a developer: The person has to empathize with the developer who wrote the application. Only that way you'll be able to think about edge-cases or understand the application's work/data-flow.
- Thinking like a bad boy: Try to push the limit. Don't stop before you're root on the target machine
- Polite/calm: It's not always easy to explain a complex security issue to a developer. A very important key to success is the possibility to communicate your thoughts properly, as you want the developer to fix your security findings.
- Realistic: Always consider the real impact and the resulting risk for the business.
- Responsible: Discovering a critical bug usually puts a huge burden on your shoulders. Act accordingly.
“Having a look at the security community, we can tell that there are a lot of top-notch bug hunters who fulfill nearly all of the above points. On the other hand, there are ‘unskilled’ or new bug hunters who try to make some quick bucks by using one-click-tools and sometimes go as far as threatening the business owners. We refuse to call these people ‘bug hunters’,” they said.
They enjoy bug bounty hunting because it gives them the freedom to break things whenever they want. “By submitting useful reports the chances are good that more and more companies will get the idea about responsible disclosure,” they said in calling bug bounty hunting the ultimate in crowdsourcing.
The common mistakes that these bug bounty hunters find usually involve basic configuration mistakes or missing best practice issues. When going for more severe bugs, standards like Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF) are not uncommon.
Most development frameworks take care of basic XSS and CSRF issues. They have noticed a decrease in SQL Injection bugs and that can be underpinned by ORMs and prepared statements which do a good job preventing SQL profile websites and/or tools.
“Security is about practice. Try and try again, and keep trying, and keep learning new things,” Singer added. “I see some researchers jump in headfirst and try to hack everything in sight. Best of luck to them, but in reality it is not that simple.”
The bug bounty hunters cautioned about going it alone to find vulnerabilities before getting approval from the site owner. Sites like Bugcrowd can help set up the legal documentation to protect the bounty hunters.
This story, "Why bug bounty hunters love the thrill of the chase" was originally published by CSO.