Lately, I have been spending some time in some major bug bounties to have a new experience in a entirely new field, that I was completely unaware of few weeks ago!
Here are some interesting responses, I received as a reply
Since then, I have gone through many kind of responses! In fact one of the most interesting part of bug bounty stuff is to see how the security engineers view your stuffs!
Here are some interesting responses, I received as a reply
This one made me feel LOL!
and of course I made some valid submissions too!(might be luckily)
Frankly, I've learned a lot testing well-reknowned and well reputed companies and eventually finding an attack vector is really fascinating. Its always fun to have a live target that could in some way, be exploited!
Black box testing is not always that easy! In general, One has to see how a system responds to a vector and change his strategy accordingly! However due to availibility of free and custom scanner tools, the process, system has always been tried to be replaced by custom scanner tools , a short-kurt! But this is very hard job because a tool merely understands the context and goes on trying to get a valid response after executing a random payload. So, basically, tools are not the solution!
A big conflict is , Is bug bounty a field of security researching ? can bug bounty keep up that feel , that thurst , that enthusiasm of gaining knowledge who has a mindset of a so-called 'hacker'? (See here for what I refer to as a hacker "Who is a hacker?")
The first thing I'd say is when bug bounty is done solely for making money purposes, it gets worse! The person loses enthusiasm to learn new stuffs and gets back to searching for skid method to get on a whitehat page.
Having said this, the money the company would reward you on its sole decision, is also a representation of severity level of bug! Of course, an FPD wont be rewarded the same amount as OAUTH bypasses!
Almost every site over internet now has a bug bounty program and a white hat acknowledgement page! This is just because , they cant take the risk of getting hacked! They are actually using the sentiment for their benifit! Many of sites being built in custom framework , framework based vulnerabilites do exist in a site that uses it!
The point here is , involvement in bug bounty if isn't a big acheivement, finding new attack methodology is one. Finding a bug maynot be that important , developing a mindset on how to think like an attacker , is one important lessons that bug bounty teaches you!
Is bug bounty really worth it from the company's perspective ?
Well , In short , Yes! I would like to present recent examples. Mt. gox hadn't a department to respond security bugs. Bugs can really be expensive . Mt gox laid off(at least , it is what their website states) However similar kind of vendor coinbase is alive and strong, as it has one! Yahoo was breached several times before but after it launched the program , I haven't heard of it in quite a while!
You call that skid, a security researcher who actually runs a scanner , doesnt even know what the flaw means and reports it ?
Well , this is true to some extent. But how about this? The same goes for the companies as well. A skid gets a $100 for reporting some random FPD. But A bug which could worth entire company's property and trust is rewarded 10,000$ by paypal 20k$ by google and 33,500$ by facebook. Is paypal just worth 10k$ ?
So, I think basically the sides are even. One gets to the whitehat page with an vulnerability that would merely affect the server's CIA (confidentiality, integrity and Availability ) property and the other which could affect all the factors mentioned!
So, if they can pay very little (as compared to how devastating it could have been) , it is fair enough to report a xss. But what matters is, pasting payload on every search box you see without havin any knowledge of javascript doesn't train your mind in any way!
For an example , lets see this two findings by @joernchan in github
The two issues he reported:
1)RCE
2)2-factor authn. brute force
A severest possible bug is valued 5000$. Howver a 2-factor authn. which is merely an issue gets 1000$ because an attacker already needs to know the password of victim.
So for the first issue is reporter is in complete loss and for the second , the company is in loss.
So , I see the sides pretty evenly balanced with the great findings always suffering pretty much of losses!
Also, XSS always aint no skid stuff. Javascript experts actually see how each payloads are processed , which characters are blacklisted , which is being reflected and in overall, if the input is being validated and sanitized well. Bug bounty should be more than pasting payloads from your notepad to search forms!
Of course "money" will always be a driving factor in the field! It should be because a server side privilege escalation or an authentication bypass should always be on top priority than a xss bug. And the level of priority is shown by amount the company wills to spend to reward the researcher.
Moreover , viewed from one perspective , it is also about that "feeling" of proudness for helping the community stay secure! Its always not about the money and shouldn't be!
No comments:
Post a Comment