Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

06:10 PM
Connect Directly

Diverse White Hat Community Leads To Diverse Vuln Disclosures

Researchers at Penn State find that courting new bug hunters is just as important as rewarding seasoned ones.

A larger, more diverse workforce of white hat web vulnerability researchers is a good thing, researchers at Penn State University have found. Growth in the community leads to more bug reports for more websites, and discovery of a wider variety of vulnerability types -- beyond just SQL injection and cross-site scripting.

Therefore, while applauding and rewarding the most prolific bug bounty-hunters continues to be a wonderful thing, the researchers recommend that the security industry should do more to attract newbies to vulnerability disclosure programs.

Assistant professor Jens Grossklags, post-doc Kai Chen, and doctoral student Mingyi Zhao from Penn State's College of Information Sciences and Technology, made these conclusions after analyzing 3.5 years of activity on Wooyun, the premier bug bounty platform in China. During this time span, 3,254 researchers disclosed a total of 16,446 vulnerabilities through Wooyun. Researchers are paid in prestige, not yuan, but Wooyun is beginning to offer monetary rewards for important discoveries and some companies give gifts to researchers for disclosing important vulnerabilities in their websites. 

"Wooyun allows for a deeper analysis [than other disclosure programs and bug bounties], since the details reported for each report are comparatively substantial," says Grossklags. "Most other forums either lack detailed information about the reported vulnerabilities, or detailed information about the track record of the submitter."

"Wooyun is the only full disclosure program. That's why we choose to study Wooyun first," says Zhao. "And based on a preliminary analysis of HackerOne's public data, we see very similar patterns in both data sets. So in general, I would say results obtained from analyzing Wooyun's data are relevant to other platforms as well."

The researchers wanted to better understand the machinations of the bug bounty market, and see how to enhance its overall productivity.

They discovered that as the number of active users on Wooyun grew, the nature of the reported vulnerabilities changed.

For example, the number of high-severity bugs reported began to exceed low-severity ones, and that gap continues to expand. Also, bug bounty-hunters -- facing bigger competition -- set their sights on a wider variety of targets. Reports of weaknesses on low-traffic websites started to outnumber those on the most popular websites.

"High-value websites benefit from a better state of security of less trafficked websites," says Grossklags. "For example, stolen information from such less popular websites, such as password datasets, can be repurposed for attacks on higher value targets."

Grossklags says they are also trying to understand "to which degree less prominent participants of the white hat community can provide similar contributions" as the "most prolific contributors." They divvy up the pool of active disclosers on Wooyun into a "head group" and a "tail group" -- each of which are responsible for roughly half of the total vulnerabilities.

The head group consists of a small number (191) of super-productive researchers who averaged 43 bug reports apiece over the time studied. Most of them specialize in hunting down SQL injection and cross-site scripting vulnerabilities. The weaknesses they unearth are on average slightly more severe than those turned up by the "tail group."

The tails are a larger group of people (3,063), who only averaged 3 vulnerability reports. This is nevertheless an important group, because they are more responsible for discovering the less common vulnerabilities -- like access privilege bypass, command execution, and logic error vulnerabilities.

Each company should be especially grateful to the person who reports the most vulnerabilities to them, sure. However, those top contributors only seem to be responsible for between 2 and 4% of the total bug reports. So, value the stars, yes, but not at the expense of the rest.

As the report states, "While rewarding top contributors may be beneficial, attracting more white hats to participate is equally helpful."

A system like Wooyun's is an interesting case to observe from the US, where seeking vulnerabilities on another person's website without explicit authorization to do so, is technically a felony under the Computer Fraud and Abuse Act. Organizations establish their own disclosure programs to specifically tell the white hat-wearing public that they're welcome to dig around, as long as they follow a few ground rules.

"There are more and more companies embracing the idea of bug bounty in the US," says Zhao. "These companies usually establish their bug bounty programs in platforms like HackerOne ... and allow white hats to test their systems. ... Definitely, Wooyun is a much more aggressive model. That is, a white hat can freely choose a target without the target's consent. I guess this can happen because relevant law in China is not mature now."

"It is certainly the case that information sharing of security information is hampered by legal uncertainty," says Grossklags. "The recent proposals of the president aim to address such sharing impediments; however, it remains to be seen whether the details of the proposal suggest that they improve the situation."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
1/23/2015 | 11:40:46 AM
Looking for vulnerabilities
"... seeking vulnerabilities on another person's website without explicit authorization to do so, is technically a felony under the Computer Fraud and Abuse Act."

This sounds like a huge moral dilemma. It isn't right to be scanning a website just to see if there is a vulnerability in it. I get that. Now if I was the website owner, I would rather have a white hat tell me that there is a vulnerability in my website which was uncovered while "scanning", than find out that the vulnerability was exploited by seeing my customers' PII or PHI or financial data being traded in the black market. How would I feel, though, about someone scanning my website without my permission, just to see if there is a vulnerability? I would not be happy about it at all, but at the same time, I really would like to know if I have a potential problem. I do not think that I would not report it to the authorities as a violation of the CFAA unless they broke the website and I lose revenue as a result. Regardless, I would probably let the white hat know that the action they took wasn't entirely legit ... then thank them for finding it, of course! Almost sounds like a love/hate relationship, doesn't it? I'm sure there are many others who think that way. Any thoughts?
Sara Peters
Sara Peters,
User Rank: Author
1/23/2015 | 12:26:51 PM
Re: Looking for vulnerabilities
@GonzSTL  It's a dilemma, but my biggest problem is the huge disparity between how software vulnerability research is legislated and how web vulnerability research is legislated. A lot of security people don't even know that they could get in trouble for the gentlest knock on the door.

The key example for me is Daniel Cuthbert, who was convicted under the Computer Misuse Act several years ago. He had donated money to a tsunami relief charity, then gotten no confirmation page or any indication that his donation had gone through. As a security professional, he started wondering if maybe this was a fraudulent charity set up by cybercriminals. So he did a little shell code command just to see if the site had any security on it (assuming that a legitimate site would).

Then he decided it was probably legit, and thought nothing of it. Until the police came to his office and took him off in handcuffs.
User Rank: Ninja
1/23/2015 | 1:11:26 PM
Re: Looking for vulnerabilities
@Sara Peters: The legislation issue is definitely huge, as noted in the recent posts by Ericka Chikowski and Jeff Williams among others, here on Dark Reading. I'm sure several security pros are keenly aware and keeping abreast of the current state of legislations regarding this topic. I really hope that we can come up with something that serves to protect IT infrastructures while at the same time, not detract from the efforts to assess the same infrastructures we try to protect. As I see it, the federal and state legislative environments regarding this issue are quite a mess, with overlapping and conflicting scopes, confusing and unclear laws, etc. I am really surprised that someone has not yet formed an official umbrella group that brings all the players together to hammer out a definitive and comprehensive solution on a national scale. Time is getting uncomfortably short; just look at the recent Sony attack, which I believe to be just a precursor to more sinister and devastating attacks in the future.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2015 | 1:44:16 PM
Re: Looking for vulnerabilities
I really hope that we can come up with something that serves to protect IT infrastructures while at the same time, not detract from the efforts to assess the same infrastructures we try to protect.

I hope so too, @gonz. I don't have a lot of confidence in our legislators (state or federal) in getting it right. But doing nothing is worse...
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
1/25/2015 | 8:04:39 PM
Unfortunately, it would seem that if the current administration gets its way (as Jeff Williams wrote for Dark Reading recently), the CFAA will be expanded significantly -- which is harmful to and disincentivizes white-hat hackers and independent bug-hunters because it penalizes their security hole-finding activities.

I recently saw Katie Moussouris, HackerOne's Chief Policy Officer, speak at a cybersecurity conference, and she was insistent on this point, calling hackers "a giant pool of untapped resources" and advising attendees to "be prepared to receive a notification from a friendly hacker[.]"  (In particular, she pointed to the example of Polish hacker group the Last Stage of Delirium (LSOD) IDing the vulnerability that led to the Blaster worm, and Microsoft's response: sending employees to Poland to recruit the hackers.)
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/26/2015 | 9:40:26 AM
Re: Alas...
The key to the success of these bug-bounty programs relies on the credibility and legitimacy of the white-hat hackers. Not sure that a platform like Wooyun is the right model of the U.S. , especially under the existing and possible expansion of the CFAA, as @Joe Stanganelli points out.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
On BIG-IP version 16.0.x before and 15.1.x before 15.1.3, malformed HTTP/2 requests may cause an infinite loop which causes a Denial of Service for Data Plane traffic. TMM takes the configured HA action when the TMM process is aborted. There is no control plane exposure, this is a data plan...
PUBLISHED: 2021-05-10
On versions 16.0.x before, 15.1.x before 15.1.2, 14.1.x before, 13.1.x before, and 12.1.x before, when the BIG-IP ASM/Advanced WAF system processes WebSocket requests with JSON payloads using the default JSON Content Profile in the ASM Security Policy, the BIG-IP ...
PUBLISHED: 2021-05-10
On BIG-IP versions 16.0.x before, 15.1.x before 15.1.3, 14.1.x before 14.1.4, and 13.1.x before 13.1.4, lack of input validation for items used in the system support functionality may allow users granted either "Resource Administrator" or "Administrator" roles to execute...
PUBLISHED: 2021-05-10
On versions 16.0.x before, 15.1.x before 15.1.3, and 14.1.x before 14.1.4, BIG-IP Advanced WAF and ASM are missing authorization checks for file uploads to a specific directory within the REST API which might allow Authenticated users with guest privileges to upload files. Note: Software ve...
PUBLISHED: 2021-05-10
On BIG-IP 15.1.x before 15.1.3, 14.1.x before, through, and all versions of 16.0.x, when running in Appliance Mode, an authenticated user assigned the 'Administrator' role may be able to bypass Appliance Mode restrictions utilizing undisclosed iControl REST endpoints. Note...