Demystifying Bug Bounties: Insights from a Decade of Experience

hello everyone uh thank you so much for being here uh thank you for showing up and thanks for the b-sides organizing theme for organizing everything uh making sure everything is working and running smoothly uh [Music] perfect thank you uh so basically this is my second time here in Pristina I was here in 2019 for a different conference so it's always uh great to be back here and just enjoy the city uh so basically uh to today we're gonna talk about a topic that is very dear to me that some industry that I've been involved for a decade uh we're gonna talking about we're gonna be talking about like bounties uh and I'm gonna share with you some insights that are and lessons that I've learned from my experience doing back bounties as a hacker hacking different companies like high profile companies say Facebook Google Apple Etc so I'm gonna be sharing some lessons some insights that I've learned from that experience and I'm also going to be sharing the lessons that I learned actually managing those back Monday programs for some of the biggest companies uh so but before we start I just want to have an idea how many of you here are familiar with the concept of back bounties can you raise your hands uh all right that's good how many of you have earned a back Bounty before a bounty payment all right I think this is a good start all right so we're gonna we're gonna talk about it but before we dive into the topic I just want to introduce myself uh so my name is Yasin abukir I'm originally from Morocco I'm currently based in France so I hold two Master degrees uh both of them are in management and business basically which is very irrelevant to what I'm doing now as a career it just goes to say that it doesn't really matter what you studied before as long as you have the passion to pursue what you really like and what you're really passionate about so right now I'm doing cyber security apparently uh I do application security Consulting so basically I work with companies to provide them with uh consultant Services say penetration distance security assessments and whatever uh from 2017 to 2019 I worked as a security analyst for a company called hacker one it's a black money platform I worked as uh through Azure so basically I tried for uh back Monday programs belonging to some of the biggest companies where so I'm going to share that experience later on the on the presentation uh currently this year I actually joined the hacker one hacker Advisory board so basically my role is just to ensure that the hacker Community is well represented and that the hacker feedback is Incorporated in their products and services and I've been doing back bounties since 2013 so basically it's been a decade 10 years and I am one of the hacker one top 20 hackers all-time top 20 hackers and last year I actually won one of the live hacking competitions back in Denver as you can see in the picture I'm holding the image belt I look like a UFC fighter I know uh so I won the first place we which was quite an achievement because like it was very competitive so yeah that's it but so now we're gonna start by just like for the people who are not very familiar with the what the concept of the bounty program so a background program is basically when a company uh seeks the help of the security research community help so basically see a company like Facebook Google they want the help of ethical hackers to find security vulnerabilities on their services and products so they set up uh what we call a backbonnet program which has all the kind of roles uh that you should know before participating and once someone like a hacker an ethical hacker or a security researcher finds a security vulnerability they get paid what we call a bounty which is a monetary payment as you can see in this screenshot here this is an example of PayPal backbone program which is hosted on the hacker one platform so this is basically how it looks like and every back Bounty program has a set of roles or sections uh so a background program they have what we call a bounty table as you can see here in this screenshot there's a bounty table so what is the boundary table is just like how the the monetary reward that you can expect when you find the security vulnerabilities security vulnerability on their product so if it's like a low severity bug you can expect this much if it's like a high severity bug you can expect like 10K uh US dollars or if it's a critical this is how much you're gonna expect uh and every program has an in-scope vulnerabilities these are the security bugs that the company is interested in they want to hear they want to hear about they want you to find those so they have a list of those in-scope bugs and just like in scope there are out of scope bugs like the company has a list of bugs that they're not really interested in either because they are informative or they are low severity or it's just basically they are false positives so as a hacker you don't want to look for those bugs you just want to avoid them because they're going to be a waste of time and every program has Rules of Engagement it's like roles that you should abide by if you're gonna start hacking on PayPal these are some of the roles that you should respect some of the rules for example is just like to avoid heavy automation just do not run heavy automation on the on the on their products because you're just gonna bring it down these kind of rules that you have to respect and then there is this service level agreement the the acla is just like the times that you're gonna expect like time to acknowledge your report or your bug how much time are you gonna have to wait to get paid and how much time are you gonna wait to have the bug get fixed or resolved and there is a safe harbor close which is optional which is started recently talking about it the Safe Harbor Clause is basically a legal Clause that the company is basically stating that as long as you're acting good faith like you have good faith and you we're not gonna prosecute you we're not gonna pursue any illegal action against you as long as you act in good Faith which is very important because uh a lot could go wrong so as you can see I'm pretty sure you guys are very familiar with these logos these are the companies some of the Fortune 500 companies that are running their back money program so these companies they're basically working with ethical hackers to find all those security vulnerabilities that may be uh affecting their own products so basically we have sales for Snapchat slack Facebook Apple Google so all these companies they have what we call APAC money program so if you have the skill set that it requires and you can find security vulnerabilities on their products you could get paid a bounty in exchange so how I got into back bounties I just want to share with you in my story how I started doing back bounties so basically before uh when I was in my teenage years uh uh I was very passionate about hacking I loved finding security bugs in random software so basically I just go on the internet find a random software and just poking around and find the bugs on that software I I was just doing it for free because I liked it I enjoyed it but uh what I what I did is that when I find a bug I just basically write the details and I publish it online without even coordinating with the vendor without notifying them to get it fixed or anything uh as you can see here it was back in 2011 2014 2013 these are some of the bugs that I posted on the exploit databases uh if you if you guys are familiar with millworm for example the exploit DB so I find a bug and I just post it online without even getting fixed which is which is bad because this is not how responsible this disclosure works you have to coordinate with the vendor to like responsibly notify them of the bug so that they can get it fixed and then you can publish your your bug publicly but I was doing it the wrong way which I call the Aries irresponsible disclosure phase as opposed to responsible disclosure so because if you're familiar when we do impact bounties or just vulnerability disclosure in general we have what we call in 90 days rule so basically when you find a bug you have to report it to the vendor you have to report it to the company so they can get it fixed and the company has 90 days to get it fixed if they don't get it fixed in 90 days then and then you can actually publish it with the security communities you can make them aware uh if they get it fixed in a timely manner then you can share the details but you you're not really allowed to share the details publicly before it's fixed otherwise it's an Uday it's going to be exploited maliciously uh so fast forward to 2013 I was just scrolling uh some art reading about some news articles and I uh I stumbled upon an article that is about a platform called hacker one and that now you can actually work with companies you can hack companies legally and actually get paid for it because I was doing it for free back then so that was an intriguing idea and I I just went straight on hack around platform and I signed up in 2013. so I started poking around and what I found is they have uh a lot of Open Source projects like python Django rubion reels so basically they want you to find bugs on those projects but back then I don't have I didn't have really the right skill set I did not have much code review skill set so I couldn't find anything in 2013 I was just poking around but no luck at all uh so fast forward to 2014 like one year later I found my first bug my first bug and I earned my first Bounty it was the dumbest bug I ever found honestly so it was a it wasn't Yahoo and what I founded on Yahoo so basically the bug was just like resetting the vote so Yahoo they have this board the suggestion board where users they can post suggestions on other users they can upload and downvote the suggestion so I was just poking around and I when you upvote the suggestion there is a parameter called vote value it just increments by one right she was like thinking what what can I do here and I change the value of the vote value to 1600 which is a long number and I just clicked on upvote and what happened next is just I reset the votes to zero if you can see here it was like 300 350 57 and then zero this is the dumbest log I ever found it was a low bug but fortunately I got paid for it I submitted it to Yahoo was back in 2014 and I got my very first Bounty which was like 400 bucks I always I did not believe it because I I was doing this this for free and now I get paid for it and I can do it legally I can hack a company and get paid for it which is which is awesome and I I couldn't really believe it so I was like is this real and I was still in University and the next summer I just spend it just looking for bugs I spent the whole summer just hacking companies because I this is this is too real for me to so let's talk about some common bug hunting mythologies like when you're approaching a Target what can you do like how can you approach a Target like from my experiences from talking with other bug hunters from with other hackers there are busy I I realized that there are basically four methodologies when you're hacking there are some people when they're looking for bugs when they're looking for security vulnerabilities they automate everything they basically automate everything they don't do anything manual like they've built their automation that they deploy to servers and the automation just continuously looking for bugs and they don't do any manual work which is awesome uh but there are other people they do full manual the full manual methodology is when you're actually going deep on the on the application and you're doing the manual hacking without any automation without any tools apart from some necessary tools like a whip proxy for example uh so there are some people who likes to who like to do full manual hacking which is cool and there are some other people who do what I call the 50 50. this is my methodology which is basically the the first phase of hacking you do with with Auto with automation I mean you use a lot of tools to collect data like do some reconnaissance fight some sub-domains DNS data fingerprinting all that stuff and then once you click that data then you can do the manual uh hacking then you can use that data to actually start manually hacking and looking for security vulnerabilities on that data so this is my methodology and there are some people they do what I call the zero day all the things so basically these people they they go and look for bugs on software there that are widely used by the the companies for example WordPress they go and look for a bug on WordPress zero day and then once they find this bug on WordPress they look for all the companies that use WordPress and then they submit those reports to them so they basically do security research and they find zero days and then they find all the companies that use that vulnerable software or technology perfect I don't know what happened there uh so the question here is which one of these mythologies actually best that is the natural question which one should you go for actually uh the thing is that all these methodologies are have proven to be effective they have proven to be successful as you can see here on each category there is a successful Bug Hunter who have made Millions just using that methodology for example the full automated we have Eric today is new he's one of the best hackers he he's a very successful in the million dollar Bounty he doesn't do any manual hacking he basically built an automation machine that is continuously working and looking for bugs on a daily basis like oh it's just working when he's not he's not doing any manual manual work and then the full manual we have Ron is a very successful back Hunter as well Ron just doesn't do any automation as opposed to Eric you just like to do manual hacking just go deep on the application understand it and just find logical bugs and the 50 50 we have the legendary friends Rosen one of the best hackers and we have shops for the zero day all the things shops he is one of the co-founder asset note if you go to acidnote.com they have so many uh blog posts about zero diver abilities that they found on on software uh on popular software so basically it finds o days and he just submit those arrays to pragmatic programs and it works it works for him so they made good money out of it and they're very successful that means that all the mythologies actually work I mean depends on you but if each mythology can come at a cost for example the full automated one they might be very costly because you're running a lot of servers so it might be very costly to run those Cloud servers the full manual you might just be manually hacking and then you might not find any bug at all so there is a cost for each of these methodologies uh so go big or go home like like these sex is full back hundreds these successful hackers one of the things one of the things that I noticed is that they all try to focus on high severity security vulnerabilities uh High severe High severity security vulnerabilities like P1 which is critical vulnerabilities these are usually server-side bugs uh could be an rce SQL injection ssrf or P2 uh High severity bugs or stored excesses and account takeover authentication Bay pass so all these bug Hunters I noticed I observed that they are actually focusing on P1 P2 which which makes sense why because first of all they're avoiding duplicates and related frustrations because in Black Bounty you have to be the first one to find the bug to actually get paid if you find the bug but someone found it like before you you're not gonna get paid it's gonna be going to be a duplicate but when you're focused on P1 P2 not a lot of people are actually focusing on that kind of vulnerabilities and they're not easy to be down as well so you're avoiding the duplicate frustration also when you send a high severity back to a company they quickly fix it they have to quickly react otherwise it's going to be exploited maliciously so they quickly get it triaged and fixed which is good and then you have high monetary rewards so basically when you're focusing in P1 and P2 you're gonna earn a lot more than actually focusing on low severity and medium bugs I'm not saying by any chance that you should avoid looking for low severity or medium bucks it's just that you're you have to shift your focus to looking for P1 and P2 box if you've got the right skill set and then when you're doing bug hunting you want to focus on healthy and high p and big money programs there is a lot of frustration that can originate from doing back Bounty there are so many companies running a back vanity but they are now all great because like sometimes you submit a report to a company and you have to wait months before they even respond to you or you have to wait months before you get paid so you want to be picky when you choose which company you want to hack on these are two companies for example which are amazing first one is gitlab if you're familiar with it and the second one is Shopify gitlab for example for a critical they pay up to 35k which is great it's a it's a good return on investment uh and Shopify can even pay 200k for a critical vulnerability that's why I'm saying you have to focus on P1 P2 because there is a high monetary reward out of it and these companies are very healthy they have a great security team very reactive all that stuff uh and before you start before you choose a program if you for example are using the hackeron platform you can on the program you can see these statistics these are very important before you start hacking our program you see the average time to First Response is how much time it's gonna take for the company to acknowledge your report to get back to you how much time average time to Bounty how much time until you get paid which is important you just want to get paid so it's important to cut it short and how much time to get your bike fixed also you you can see how much this is a PayPal background program this is how much PayPal paid over the years they paid 8 million uh Bounties in total and you can see the average Bounty that they paid for hackers uh the average is usually 2K to four 4K and sorry the top Bounty is uh is they paid 52 as a top Bounty as you can see there are all the stats you can check before you start hacking our program before you decide which company you want to hack on for example PayPal people here they have appealing numbers which is good but for also for a regular Bug Hunter when they see the number the total of bugs that were resolved you see like it's it's 1470 which is a lot of bugs and then as a regular Bug Hunter Minds there's like there's no way I'm gonna find a security vulnerability after P after like 700 people found over a thousand bucks this is a regular Bug Hunter mindset which is really bad because like the best hackers they don't really care about those numbers because they know regardless of how many bugs other people found there will always there will always be other security vulnerabilities why because companies they're pushing code they're making changes on a daily basis so they're always like features new features that are being developed so there are always new bugs that are being introduced same there are always like regressions like they might fix a bug today but there might like there might be a code change and so the the bug might happen might show up again so that we call that a regression so in it doesn't matter how many bucks that program fixed you can always find bugs on these programs and these are the the best programs that you want to focus on these are the the the the the oh it's gone again so these are like the the the the the the the big program like PayPal they pay really good