How do I reasonably price my bug bounty program?

Posted on by
1

I saw a great question on Twitter this evening from @Shmuelie:

Random Question for the internet: How do you reasonably price bug bounties?

We get asked this a lot. Here’s a couple of points of guidance we to give:

  1. What kind of talent do you you want to attract? It’s a fundamental tenet of crowdsourcing that a bigger opportunity (read: more cash in the bounty pool and/or more cash per bug) will attract more and better talent.
  2. What’s the market expectation? Facebook pay a minimum of USD 500 per bug. Google pays more. Coinbase pays less (but they pay in Bitcoin so it’ll *probably* be more at some point in the future). There are precedents out there… Where does your company fit into this continuum? The Bugcrowd community-powered list of bug bounty programs will save you a lot of research time.
  3. MOST IMPORTANT: What will the amount you set say about the value you place on security? For instance, setting a USD 5,000 bounty reward pool on the Internet banking platform of your multinational bank is probably not sending the right message…

Hopefully that helps.

There are a bunch of other considerations, and we’ve got a couple of other neat tricks to sizing bounties, but they’re reserved for those who get in touch about Bugcrowd managed bug bounty programs for web and mobile apps.

How to win at Bugcrowd timed bounties (even if you’re asleep when they start)

Posted on by
Reply

Here’s how Bugcrowd timed bounties work:

  • There’s a set scope (what to test), timeframe (when you’re allowed to test it), and budget (how much cash is available to testers).
  • When the start time rolls past an email is sent out to all testers currently signed up to participate at https://portal.bugcrowd.com. At the same time the bounty brief will become visible in the portal in the “Bounties” page. If the client is using Crowdcontrol or running a private bounty we’ll send out the access details.

If you’re a security researcher and you haven’t signed up at https://portal.bugcrowd.com yet, do it now and join the hunt! It’s free and I promise we’ll be right here when you get back.

  • Oh yeah, and we’ll usually tweet something cute on Twitter like “RELEASE THE HOUNDS” (dedicated to one of our early fans back in Oz).
  • That’s when the magic happens… The Bugcrowd ninjas do their thing, finding security bugs and submitting them as soon as they’re found.
  • The bounty ends, another email is sent, the bounty brief moves into the “Past Bounties” section of the portal, and testing ceases.

Then we reward the ninjas…

  • Every valid submission receives Bugcrowd Kudos points. These points can be used for bragging rights, to compete with fellow testers, and qualify testers for inclusion in Bugcrowd “private bounties”.
  • The first to report each unique and validly submitted issue gets a cash reward and more Kudos points. We call them first-to-find (or F2F when we’re on Twitter).
  • The most creative or severe issues are rewarded with first, second and third place, which means more points and more cash.

Speed, disclosure and depth of testing are all incentivized. This model, combined with the awesome testers in our 1,700 strong crowd, is the reason we’ve seen over 4,000 bugs and 7 third-party 0-days come in so far… More on that later.

We also do ongoing fixed bug-price “Google-style” bounties… More on that later too.

From time to time we’ll get an email from one of the ninjas that goes something like this:

The bounty kicked off while I was asleep/working/occupado… Should I even bother? Doesn’t missing the start reduce my chances of getting a first-to-find?

It obviously does, but not nearly as much as you might think…

  • While a lot of the simpler to find stuff tends to get shaken out in the first 48 hours or so, we are still receiving plenty of first-to-find submissions after that… Often times right up to the close of the bounty.
  • The vast majority of submissions which end up receiving a placed reward come in on the third day or later, usually after a bit of a lull in activity.
Bugs vs Time: This is data from an actual Bugcrowd bounty.

Bugs vs Time: This is data from an actual Bugcrowd bounty.

So, without further ado we’re going to go ahead and tell you how to win at Bugcrowd timed bounties:

  • If you are available for the kick-off then go for the simple stuff and report it promptly.
  • If you’re not available until later it still pays to go for the “wide and low” issues, but focus your attention on bugs which are either harder to find (obscure vectors, etc) or more complex (WAF and filter evasions, bug chaining, public service injections, etc).

Make sense? This broadly applies to *all* bug bounty programs when they kick off.

We’ve got $20k up for grabs with another two bounties set to kick off later this week. If you haven’t already, now’s the time to join the hunt at https://portal.bugcrowd.com!

Bug Bounty Programs For The Web – A great slide deck by Michael Coates @_mwc

Posted on by
Reply

This is an oldie but a goodie (yes, September 2011 is old… especially in application security).

Michael Coates, the Director of Infrastructure Security Team and a member of the OWASP Board, gives us a look inside the Mozilla bug bounty program, takes us through why bug bounties are an important evolution in application testing, and addresses some of the common concerns and objections (Slide 25 and onwards).

Mozilla were one of the first to run a formalised bug bounty program. They started their program nearly 9 years ago and are very vocal about the awesome-sauce that is crowdsourced security testing.

Interestingly, a lot of the data Bugcrowd has accumulated in the bounties we’ve run to date lines up very nicely with Michael’s.

Enjoy!

Bugcrowd: In your paper, on your TV, and on your radio

Posted on by
Reply

Note to testers: Bugcrowd testers only have permission to test within the scope of active bounties, which can be found at https://portal.bugcrowd.com. At the time of this post Coles don’t have an active bounty.

Coles - a $32B revenue supermarket chain in Australia – is so happy to have engaged Bugcrowd that they had a chat with the Sydney Morning Herald about it: http://www.smh.com.au/it-pro/security-it/coles-bitten-by-the-hacker-bug-20130429-2iou2.html.

It didn’t stop there… 2UE – a very prominent radio station in Sydney – contacted our advisor Nick Ellsmore of Delling Advisory for an interview which can be listened to here: http://www.2ue.com.au/blogs/2ue-blog/companies-want-hacker-attackers/20130430-2iqmo.html.

To top it off, I’m told we also popped up on a couple of television programs including The 7pm Project… We’re still hunting down links for these and will update if/when we find them.

Suffice to say it has been a busy few days for Bugcrowd, but we’re just getting started!

- cje

Meet the Bugcrowd… Bounty Hunter Profile: @MirxaLive (Mirza Burhan Baig)

Posted on by
Reply

Our crowd of application security experts are the engine which powers Bugcrowd. Over the coming few weeks we’re going to introduce you to a few of them.

Want to join the Bugcrowd and participate in our bug bounties? Head over to our tester portal at https://portal.bugcrowd.com and sign up!

Today’s Bugcrowd profile is on Mirza Burhan Baig.

What’s your name?

Mirza Burhan Baig

How long have you been hunting bugs?

I have been hunting for 6 Months, its not my hobby… its my passion that force me to drive for hunting bugs and various applications….

What’s most memorable bug you’ve discovered?

“The most memorable bug was DOM XSS, that i had found on Apple.com… i Submitted them 40 DOM XSS on their sub domains…. It is fixed now, i must appreciate Apple for fixing it very quickly….

And Second One was when i found a DOM XSS in Microsoft Surface Domain, i was launched a day before, and i trigger them DOM XSS in that domain on almost 6-7 pages, that describes its features, for that they put me in their Security Researchers Page for November….”

What do you like about bug bounties?

Well Bug Bounty Programs allow Researchers to work more hard, because its not all about name every time, if you are paid for something you will be automatically attracted to it, and in the same time it make us to fight more hard and make our skills more sharp to cut the security… So its good, student like us can make our future bright with the help of programs like Bug Bounty!

If there was one thing you could suggest to improve the way bug bounties are run, what would it be?

Just credit every researcher who had put his time to find that bug, just ask them the whole story how the had done it, else mostly we hear “It us duplicate Bug, someone already reported that Bug”, make it crystal clear to motivate researchers to work more harder to find it before ;)

What methodology do you use when participating in a bug bounty?

Basically its i am not restricted to 1 methodology that i have to do it like this way just.. No it depends on the website, it depends on its structure, it security levels, then plan a Methodology which kills it :D .. that is my perspective for hunting, mostly i go for services used by that website, and the sub domains of that website… because we can make our main door more secure than the window in the kitchen ;) … start hunting with a proper methodology give you success else, you just browse it and sleep well…

A big thanks to Mirza for agreeing to be interviewed and posted on our blog!

Meet the Bugcrowd… Bounty Hunter Profile: @info_dox (Darren Martyn)

Posted on by
Reply

Our crowd of application security experts are the engine which powers Bugcrowd. Over the coming few weeks we’re going to introduce you to a few of them.

Want to join the Bugcrowd and participate in our bug bounties? Head over to our tester portal at https://portal.bugcrowd.com and sign up!

Today’s Bugcrowd profile is on Darren Martyn from http://insecurety.net.

What’s your name?

Darren Martyn

How long have you been hunting bugs?

A few years now, mostly as a hobby, occasionally as work.

What’s most memorable bug you’ve discovered?

Most memorable bug is actually an implementation flaw in how Ubuntu uses ecryptfs to “protect” home directories. The homedir is encrypted, but the users login password is enough for recovery. And seeing as the shadow file is right there… To make it more interesting, you do not need the “recovery key” ecryptfs provides you at all to decrypt it, just the login password. Not spectacular, but always “sticks out” as quite an epic failing for a “security feature” in a popular operating system.

What do you like about bug bounties?

Personally, I like how they give people like myself valuable practice testing live ‘targets’. I also like how a company running a bounty gets their product tested fairly thoroughly before they make it public, so they can iron out any serious flaws in it. It is beneficial to everyone – the tester, the company, and the customers whose data is now less likely to end up on pastebin.

If there was one thing you could suggest to improve the way bug bounties are run, what would it be?

In an ideal world, a broader scope (server side services being targets) would be great, but what with shared hosting, completely impractical. I suppose “More bug bounties!” is the only real improvement I can think of!

What methodology do you use when participating in a bug bounty?

My methodology is somewhat less defined than most peoples. I usually start by looking at the target site, browsing around it for a few minutes, then looking for places where I can either insert my own input, or learn more about what the site is running. I normally try some simple “find directories” stuff to try fingerprint the app, followed by some gentle testing for XSS, SQLi or path traversal. Normally go for the low hanging fruit first, then look a little deeper.

A big thanks to Darren for agreeing to be interviewed and posted on our blog!

[BOUNTY] #Beta013 Bugcrowd Beta Portal bug bounty is now open

Posted on by
Reply

The Beta 013 bug bounty is now open.

********************************************************************************
SUPER IMPORTANT
********************************************************************************
Testing is permitted on the web application at the nominated target address only. All other systems and applications are out of scope. This includes testing systems linked to by the target application, the target application’s underlying host, the platform it runs on, it’s SMTP and auxiliary services, it’s control panels, the target’s hosting provider, and any other hosts or web apps which may be in the target domain.

I’ll repeat, only the nominated target is in scope.

The purpose of this bug bounty is to find application security issues which can be fixed by developers. This is not a traditional penetration test. If this is in any way unclear please contact us at support@bugcrowd.com before you commence.

********************************************************************************
TARGETS/ACCESS/TIMES
********************************************************************************
Target: https://portal.bugcrowd.com

Credentials: Please self register. Note that the site’s data will be nuked and paved once testing is completed.

Start time: 06:00 19 Mar 2013
End time: 06:00 21 Apr 2013

********************************************************************************
REWARDS
********************************************************************************
This bounty is on the first iteration of what will be our tester and bounty management platform. Serg and the team have done a pretty solid job of getting it locked down but we’re going to eat our own dogfood and get the Bugcrowd to do what the Bugcrowd does best…

1st place: $500 (winner takes all)
All other valid bugs (if first to find and disclose): 5 points
All other valid bugs: 2 points

********************************************************************************
UPDATES
********************************************************************************
There has been some great conversations, tips, tricks, and so on in the #bugcrowd IRC room at irc.freenode.net. If you use IRC, and even if you don’t, we recommend you join in.

********************************************************************************
NOTES/TIPS/IDEAS
********************************************************************************
The first rule of Bugcrowd is that you don’t talk about Bugcrowd. We’re happy for you to let people know you are participating, but permission to test is granted on the condition of non-disclosure of any bugs found to anyone other than Bugcrowd.
Outages or other issues which affect the platform under test will be posted to our https://twitter.com/bugcrowd_status Twitter feed and to http://status.bugcrowd.com.

Cheers
The Bugcrowd team

[BOUNTY] #Beta011 Google/SyScan Hardcode bug bounty is now open

Posted on by
Reply

The Beta 011 Google/SyScan Hardcore bug bounty is now open.

IMPORTANT! The rules are a bit different for this one.

PLEASE READ AND FOLLOW THE FULL BRIEF BEFORE YOU START.

********************************************************************************
SUPER IMPORTANT
********************************************************************************
Testing is permitted on the web application at the nominated target address only. All other systems and applications are out of scope. This includes testing systems linked to by the target application, the target application’s underlying host, the platform it runs on, it’s SMTP and auxiliary services, it’s control panels, the target’s hosting provider, and any other hosts or web apps which may be in the target domain.

I’ll repeat, only the nominated target is in scope.

The purpose of this bug bounty is to find application security issues which can be fixed by developers. This is not a traditional penetration test. If this is in any way unclear please contact us at support@bugcrowd.com before you commence.

********************************************************************************
TARGETS/ACCESS/TIMES/TERMS AND CONDITIONS
********************************************************************************
Please visit https://code.google.com/p/hardcode/wiki/Hardcode2013SecurityBugs for all details relating to this bug bounty.

Start time: 00:00 9 Mar 2013
End time: 00:00 23 Apr 2013

Notes:

- The apps are running on Google’s App Engine platform which has active defences. Using automated scanning tools will probably get you blocked. If this happens email your IP address to support@bugcrowd.com with the subject “Beta 011 – Blocked IP” but be warned – Getting unblocked is not a quick process. Your best off to go slow and steady and avoid it in the first place.

- Flaws found form static code analysis are allowed. The source is available.

********************************************************************************
UPDATES
********************************************************************************
There has been some great conversations, tips, tricks, and so on in the #bugcrowd IRC room at irc.freenode.net. If you use IRC, and even if you don’t, we recommend you join in.

********************************************************************************
NOTES/TIPS/IDEAS
********************************************************************************
The first rule of Bugcrowd is that you don’t talk about Bugcrowd. We’re happy for you to let people know you are participating, but permission to test is granted on the condition of non-disclosure of any bugs found to anyone other than Bugcrowd.
Outages or other issues which affect the platform under test will be posted to our https://twitter.com/bugcrowd_status Twitter feed and to http://status.bugcrowd.com.

Cheers
The Bugcrowd team

Meet the Bugcrowd… Bounty Hunter Profile: @JohnathanKuskos (Johnathan Kuskos)

Posted on by
Reply

Our crowd of application security experts are the engine which powers Bugcrowd. Over the coming few weeks we’re going to introduce you to a few of them.

Want to join the Bugcrowd and participate in our bug bounties? Head over to http://bgcd.co/join-the-bugcrowd and sign up!

Today’s Bugcrowd profile is on Johnathan Kuskos.

What’s your name?

Johnathan Kuskos

Johnathan Kuskos - He takes being a Bugcrowd Ninja very, very, seriously.

Johnathan Kuskos – He takes being a Bugcrowd Ninja very, very, seriously.”

How long have you been hunting bugs?

A little over a year. I graduated with my B.S. in Computer Science from University of Houston-Downtown last year and have been working in the InfoSec industry ever since as a black box web application vulnerability researcher. This has been one of the most fun hobbies/jobs that I think I’ve ever had the pleasure of being involved with. Breaking another developer’s code puts a bigger smile on my face than writing something cool myself =)

What’s most memorable bug you’ve discovered?

I once found this on an application(not twitter) where you can follow people or be followed. If you follow someone, it shows on their profile as “”this person is followed by x, y, z, john smith,, bob”", etc..
I registered an account with my g+ test account, followed a few people, quickly realized it was worm potential and had to inform the application’s security staff immediately to have them delete the account(It was persistent and I couldn’t remove it). All I needed to do was follow everyone and XSS would pop on every single user profile page. This had the potential to compromise every single account(of which there were hundreds of thousands) The developer’s mistake here was trusting another application will validate input, sanitize it, and then output encode it for you.”
What do you like about bug bounties?

What do you like about bug bounties?

“I’m pretty driven by the thought of everyone competing against each other. It puts more pressure on me to find the “”game over”" vulnerability faster than everyone else, since ultimately the first submission is the only one that ever gets credit. I really like CTF’s and sadly they are just not too plentiful. Bug bounties seem like the next closest competition.

I also like being credited as someone that has been part of the solution and not the problem. Having a responsible disclosure list, as several participating bug bounty programs do, makes you feel all warm and fuzzy inside when you’re on it!”

If there was one thing you could suggest to improve the way bug bounties are run, what would it be?

Bug bounties are great. Hundreds of people testing the same application is great, because the end result is the application being more secure. Hundreds of people sharing the same authenticated credentials, not so great. For applications requiring authenticated testing, I really really really want to be able to create my own account or have one supplied to me. It both 1) allows me to not be bothered by another testers injections, and 2) doesn’t give away what I’m working on to other tester’s. I.e, what If I’ve found SQL Injection, yet someone else is viewing the page that it reports on?

What methodology do you use when participating in a bug bounty?

Think like a lazy developer. If I were to implement this a certain functionality, what would get me from point A(conceptualizing) to point B(finished product) the quickest? Assume the developer’s boss is someone very interested in the opportunity cost of that developer not being on the next big project, so he needs to be done quick. When you start thinking about applications from the business standpoint and not the technological standpoint, I think it opens up more areas to focus on where vulnerabilities may be more plentiful.

A big thanks to Jonathan for agreeing to be interviewed and posted on our blog!

[JOB POSTING] Application Security Engineer in Sydney Australia

Posted on by
Reply

Once of the great things about being a Bugcrowd security researcher is that it doesn’t need to conflict with your day job. Got a job you’d like us to advertise to the Bugcrowd security research community? Email us at hello@bugcrowd.com.

Description

Are you tired of running commercial scanners and IDS’es that produce mostly false positives? Do you want to create your own tools that actually improve the state of application security in a growing SaaS environment instead of producing endless reports?

We are looking for two great engineers to join our Security Engineering team. The team is responsible for application security in Atlassian products and services such as JIRA, Confluence, Bitbucket, Hipchat and OnDemand. Being a small team, we rely on automation tools that we build, and need people who have great application security knowledge and can write production-grade software for the team to use.

Want to work in Sydney? We sponsor Australian work visas for the right candidates.

What you’ll do

  • Develop new security tools and improve existing ones for attack detection, compromise detection, and vulnerability discovery.
  • Find vulnerabilities in Atlassian products and services – in the ways that work for you.

Required skills and experience

  • Deep knowledge of application security – we look for tool creators, not tool users
  • Experience in delivering production software
  • Initiative
  • Goal-orientated
  • Communications skills, particularly an ability to communicate security topics to audiences not familiar with infosec jargon
  • Technical leadership and problem-solving skills
  • Passion for learning
  • Responsibility and independence

Desired skills and experience

  • Delivered production software in Java and Python, ideally both
  • Experience in conducting application security assessments
  • Past experience in Agile software development environments, ideally at a software vendor
  • Published security research or conference talks
  • Created security tools with some functionality of:
    • attack detection
    • log analysis
    • web application scanners
    • source code analysis tools
  • Ability to handle projects of varying scope
  • Teamwork skills

Interested? Apply here.