Bounties are a great way to encourage and celebrate software security. Companies and independent researchers alike can join forces to combat cybercrime (or at least offer rewards for doing so).
However, not all bounties are created equal, so you want to make sure you fully understand what you're getting into before plunking down your hard-earned cash. In this article, we will discuss the various aspects of a software security bounty program, including how to set the right price, how to handle discrepancies, and more.
What Exactly Is A Software Security Bounties Program?
A software security bounty program is a collaboration between a company (typically a software security company) and individual security researchers (typically independent security researchers).
Under normal circumstances, when a piece of software is discovered to have a security flaw, the vendor (the company that makes the software) will fix the issue and release a patch to remove the bug. However, in some cases, the vendor may refuse to address the issue (especially if it's a known issue that they've been made aware of).
In these cases, independent security researchers step in, comb through the codebase, and either report the issue to the vendor or discover the issue themselves and then report it. In the meantime, while the issue is still unfixed, software security companies will typically reward independent security researchers for finding these types of flaws.
How Do I Set The Right Price?
One of the first questions you need to ask yourself when setting up a software security bounty program is how much you're willing to pay. It is important to set a price that is high enough to attract quality researchers but not so high that it becomes difficult to manage. After all, you're not going to be able to fix all the security issues yourself and you don't want to squander your company's resources on low-quality reports.
The best approach is to set the price based on the severity of the issue. For example, if you know that a certain type of flaw makes an application completely unusable, you might decide that an issue of that severity deserves a higher price than, say, a typical cross-site scripting (XSS) issue. The price should be in line with what the best white hat hackers get paid for these types of discoveries. The advantage of this method is that you can't go wrong since you're not under any financial obligation to fix all the security issues yourself (especially if the issue is severe).
It is also important to note that if the application requires a high degree of technical skill to exploit, then the price should reflect that. For example, if you're dealing with binary data that needs to be reverse engineered, then the price should be higher than if the data had simply to be decoded. This ensures that only the highest-quality submissions will be deemed worthy of the bounty.
What Is The Difference Between Bug And Vulnerability Research?
It's important to understand the difference between vulnerability and bug research. Vulnerability research looks for flaws (either in software, design, or both) that can potentially be exploited by an attacker. In other words, a vulnerability researcher discovers a mistake (such as a design flaw or coding error) that can be used by an attacker to gain access to a computer system or application.
A bug researcher, on the other hand, examines a product (typically software) and looks for errors (such as unintended behaviors or unexpected results) that can be used to cause damage or achieve some other goal (e.g., bypass user restrictions or perform malicious actions). A good bug researcher should be able to recognize both types of issues, but it is important to understand that they are sometimes difficult to tell apart. It's also important to note that sometimes a bug report can be construed as a vulnerability report (for example, a buffer overflow can be viewed as a vulnerability). However, in most cases, the distinction is straightforward.
What Are The Most Common Vulnerabilities?
The most common vulnerabilities in software can be found by searching for the CVE (Common Weakness Enumeration) numbers. These are simply vulnerabilities (usually discovered by independent researchers) that have either been proven to be extremely serious or have gained widespread recognition due to their frequent exploitation. For example, the High Severity Vulnerabilities in Oracle Java SE are regularly exploited by attackers and affect many different versions of the product. On the other side of the spectrum is the Heartbleed bug, which was discovered by a team of researchers and has only recently (April 2014) been made public. This vulnerability is known to be extremely difficult to exploit and, due to its rarity, has not gained the same level of recognition as the Java issues mentioned previously. However, just because a bug is rare does not mean that it's not serious; it just means that it has not been recognized as such yet by the security community. Think of the Heartbleed bug as the Java issue's older brother. You'll see many instances of the Heartbleed bug but, due to its rarity, you may not see as many instances of the Java issue.
How Long Before The Bounty Is Paid?
When it comes to offering bounties, your reputation is on the line. There is no room for error, especially since many of these submissions are likely to be evaluated by a third party (either you or someone you've engaged).
To ensure that everything goes smoothly, it is advisable to set up a workflow so that once the evaluation is complete, the rewards are distributed as quickly as possible.
What Are The Most Common Denial-of-Service (DoS) Techniques?
One of the most damaging forms of attack is the denial of service attack (DoS attack). A DoS attack attempts to make a computer resource (typically a website or application) unavailable to other users by causing excessive workload or, in some cases, even crashing the system. A successful DoS attack can result in significant (and often irreparable) damage.
The most common type of DoS attack is a distributed DoS (DDoS) attack. These are attacks that are launched by multiple parties (typically across the globe) against a single target. The goal is to overwhelm the target's resources (typically a web server) so that it can no longer function properly. Since these attacks usually attempt to crash the website, they are known as crash attacks.
A second type of DoS attack is the overflow attack, which is a bit less harmful than a crash attack (usually, at least) but still causes significant problems since it prevents legitimate users (including potential paying customers) from using the website or application that is being targeted. While a buffer overflow can (in some circumstances) be used to execute malicious code on web servers, these situations are extremely rare.
What Is A Vulnerability Rating?
A vulnerability rating is a score that determines the seriousness of a particular vulnerability. This score indicates the potential damage (or threat) that the vulnerability poses. For example, a score of 1 indicates that a particular vulnerability is minor (typically a bug that can be easily fixed) while a score of 10 indicates that a vulnerability is highly critical (sometimes referred to as a “zero day exploit”).
Vulnerability ratings are often determined by a combination of factors, including the likelihood of a successful attack, the type of system (e.g., a desktop system vs. a web server), and the type of damage that can be caused (e.g., information leakage vs. total system crash). Vulnerability ratings range from 1 to 10, with 1 being the least serious and 10 being the most serious. This is why the rating of 5 is often used as an indication of an average threat. It is important to bear in mind that the likelihood of an exploit will increase as the score increases. However, just because a vulnerability has a high score does not mean that it is necessarily easy to exploit. For example, consider a vulnerability with a score of 10; it may still require a significant amount of skill and possibly some additional items (such as a toolset or a dedicated computer) to exploit successfully. In other words, a score of 10 does not necessarily mean that an attacker can simply walk in the door and start manipulating data. As a general rule, the higher the score (the more serious the threat), the more you should charge.
Why Do I Need To Handle Discrepancies?
As we mentioned above, when setting up a bug bounty program, your reputation is on the line. That is a significant responsibility and, as a leader in your industry, it is likely that you will be asked to adjudicate a dispute over payment or issues related to a researcher's submission. It is important to prepare for these kinds of situations so that you can address them smoothly and professionally.