Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/29/2016
08:00 AM
Jason Haddix
Jason Haddix
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Bug Bounty Model: 21 Years & Counting

A look back on the beginnings of crowdsourced vulnerability assessment and how its robust history is paving the way for the future.

When Netscape launched the first bug bounty program 21 years ago, it redefined the way companies approach system vulnerabilities. Today, there is widespread adoption of crowdsourced security programs across mainstream companies with more than 600 publicly disclosed programs and counting.

I’ve worked on a number of these bug bounty programs over the years, and served as director of penetration testing for HP Fortify. The changes have happened so fast, it’s easy to lose sight of how far we’ve come since the very first program was introduced in 1995. As we approach the new year, let’s take a look at the robust history that set the foundation for the modern bug bounty program.

The First Bug Bounty
Netscape Technical Support Engineer Jarrett Ridlonghafer designed and launched the first bug bounty program to discover vulnerabilities in Netscape’s beta version Navigator 2.0 Internet Browser. The company offered cash rewards to hackers who found bugs in the software.

Although this was a major advancement for the security industry, the model wouldn’t catch on for another seven years. By 2002, IDefense launched its own bug bounty program and in 2004, Mozilla created a program that is still running today. These early programs paved the way for the modern bug bounty and for the emergence of managed programs and bug bounties as a service.

Breaking the Mold
In 2010 and 2011, Google and Facebook took notice of crowdsourced security, adding them to their business models, which increased their popularity and incentivized more researchers to join the bug bounty community. In March 2011, Facebook paid a 22-year-old security researcher $15,000 for a bug discovered. By 2015, Facebook had paid more than $4.3 million to researchers globally.

Bug bounty programs were beginning to increase in popularity, yet many organizations still perceived them to be too risky. This perception was tied to the belief that a bug bounty gives hackers free reign of critical code. But the reality is much more controlled than that, because, whether you invite hackers in or not, as long as applications are connected to the Web, they’re vulnerable. Tapping into the intelligence of thousands of security researchers helps identify these vulnerabilities before the bad guys do and lowers the risk of being vulnerable.

Bug Bounties as a Service
In recent years, the growing need for bug bounty programs and the challenges and costs associated with managing them internally drove the creation of third-party platforms or bug bounties as a service. This opened new pathways for a growing hacker community and furthered adoption by other market sectors such as healthcare, financial services, automotive, and the Internet of Things.

For companies, third-party platforms offer the opportunity to create personalized programs by connecting organizations with trusted partners and a community of diverse security researchers. For researchers, the third-party platform verifies their results, handles arbitration issues with the company, and makes it easier for individuals to get paid and move onto testing for more bugs. Third-party platforms also drive the creation of a thriving community where researchers connect, educate, and inspire one another in an environment that allows people with a variety of backgrounds to share their knowledge and expertise.  

The Future
Crowdsourced vulnerability assessment has evolved to include more than just public programs. As I mentioned earlier, a common misconception about the bug bounty model is that all programs are public. In reality, the majority of all programs launched are invite-only. Private, ongoing, and on-demand programs are incredibly common and give companies a way to facilitate testing on harder-to-access applications, or focus testing on a small subset of an attack surface to meet organizational testing needs.

Private programs allow organizations of all sizes (like Western UnionOkta, and Aruba Networks) to validate the security work they’re doing internally, and leverage a curated crowd of talent to scale up their team and improve response time before going public.                  

Crowdsourced security programs have taken on many different forms and will continue to play a major role in securing applications, especially as companies face increased pressure to release updates and keep their customers’ data secure. From the increase of vulnerabilities in healthcare devices, IoT and the automotive industry, these programs can bring advancements to industries across the board. With the willingness and constant interest from intelligent engineers, bug bounty programs will continue to thrive.

Related content:

Jason is the head of trust and security at Bugcrowd. Jason works with clients and security researchers to create high value, sustainable, and impactful bug bounty programs. He also works with Bugcrowd to improve the security industry's relations with researchers. Jason's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
12/31/2016 | 12:54:14 PM
bounty misconceptions
In addition to public vs. private-only, another potential "misconception" (if that is the right word in this case) that abounds among many researchers/hackers is that you get a payday just for discovering (1) *any* security bug and (2) anything that *looks* like a security bug.  Additionally, they operate under the misconception that (3) they will necessarily be believed.

I still remember the 2013 case of Khalil Shreateh, who -- after several repeated reporting attempts to Facebook on a serious bug -- wound up having to hack Mark Zuckerberg's Facebook account and post to his wall to prove the bug he had found.  Facebook then continued to deny Shreateh the bounty because he had technically violated Facebook's TOS in hacking Zuckerberg's account -- despite admitting that the company was too "hasty and dismissive" in not rewarding him earlier.

(In the end, Shreateh got an $11k payout from an IndieGogo fundraising campaign in lieu of a Facebook-awarded bounty.)
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...