Bug Bounty, Earn money from others’ mistakes
In this article, I will discuss the Bug Bounty program, their pros and cons, and how to make money on it
. first of all let’s define what a Bug Bounty, payment awards program for the detection of problems in the security services and the company’s application. English language appropriately in all this translates to for Hunting errors.
Ie. is a set of rules of interaction with information resources of the company. Typically, it includes the rules of the program, a list of resources, the description taken vulnerabilities remuneration. In the classic version is a description of what is possible and how much break BagHanter receive for a particular vulnerability.
It looks like Bug Bounty outside. It gives us? In the first place a continuous process of testing the strength of, professionals with different levels of knowledge, tools, and time zone in the non-stop attacking the company’s resources. From the company involved resources,
- monitoring systems,
- response and report processing,
- Bug-fixing (quick or not ).
Bug Bounty pros and cons
- the continuity of the testing process,
- costs (remuneration payments will be less than the cost of hired professionals),
- a large coverage.
- a large number of duplicates,
- a huge number of scanners reporting (Folsom),
- narrow focus,
- challenging and evidence vulnerabilities.
often, many BagHanter involved in the Bug Bounty program is limited to its crown chips, and explore something else, or vice versa, put under the scanner all in a row in the hopes to catch anything. It provides a versatile, but not a complete approach to testing. Also, a huge amount of Falls positives scanners can flunk development team unnecessary work (this is additional validation and feedback for each report – which can be very much)
Most of the companies represented. at the sites – aggregators such as HackerOne or BugCrowd
Many English companies have opened both its own programs, as well as profiles on HackerOne.. Among them are such companies as Yandex, Mayl.ru, QIWI, FaceBook and many others. But what to say, even if the Pentagon has its own program Bug Bounty. (Hack Pentagon, get the money and go free – like a hacker’s dream, but the harsh reality).
The average payout is $ 200 to $ 1,000, depending on the vulnerability and its location
for example, the valuation of vulnerabilities in the program Hunting for bugs – Yandex,
- A01. Injection of 170,000 rubles. (Critical services), 43000 rubles. (Other Services).
- A02. Cross-site scripting – A05. Cross-site request forgery 17000 rubles. (Critical services), 8500 rubles. (Other Services).
- A06. Configuration errors Web environment – A10. Open redirects 8500 rubles. (Critical services), 5500 rubles. (Other Services).
The most expensive mistakes»
During the time of the Bug Bounty program, many companies paid a total amount of $ with 5 or more zeros (only Facebook has paid more than $ 5,000,000 of remuneration), but there were rewards, which in themselves were rather impressive. What is most interesting – the bugs were a cosmic scale, but they were, sometimes a little if not at random,
Or earthshaking hacking Facebook and detection of backdoor in the system that brought the researcher $ 10,000, How I hacked Facebook and discovered a strange backdoor .
I want to participate, what to do
For those who decided to try their strength and capabilities in finding errors can suggest a few basic steps that will lead to victory,?
Follow the news. Updated Osprey program – run test new services. The manufacturer has added new features, expanded the old or integrate third-party service? – a great opportunity, especially in a complex infrastructure err
Perseverance.. Careful study, not to miss any details. Good practice will periodically compare the results of previous tests with the current state of the system.
Search. Seek and ye shall find. Most of the major bugs are not on public subdomains and directories. Here will be useful tools for the identification of sub-domains and good sheets dictionaries for Brutus directories and sub-domains.
Research. Put the automatic scanners, screening Web application (and most Bug Bounty is connected with web browsing) like sand through a sieve to find the grains of gold. Here I recommend using Burp Suite or Owasp Zap – better tools there. Almost all major victory in bautni – the result of working with these tools (in almost any public report, you can see it)
Explore.. Download the app for local studies, if possible. Read the reports of other participants – it might give food for thought. The same hacking Facebook – many English BagHanter seen this subdomain, even tried with him to do something – but not dokrutili. A good tool for this will be a resource, The unofficial HackerOne disclosure Timeline