Seldom does Threatpost have the privilege to tap the collective brain trust of one cybersecurity corner of the threat landscape. But last month, Threatpost brought together leading voices in the bug bounty community to participate in a webinar Five Essentials for Running a Successful Bug Bounty Program (replay registration required).
Panelists included Casey Ellis is CTO and founder of Bugcrowd, Mike Takahashi is a Security Engineer at BetterHelp, Chloé Messdaghi is the VP of Strategy at Point3 Security and Tommy “@dawgyg” DeVoss who is a Unix System Admin and full-time Bug Bounty Hacker.
What follows are a sampling of the questions attendees had for panelists.
What would be the best approach in running a combined bug bounty program for all government institutions in a country with a low gross domestic product (GDP)?
Casey Ellis: As a first step, encourage each agency to engage – This is better than going straight to a central intake approach, because it accommodates the variation in ability to coordinate fixes and payment. Next, set a central intake as a vulnerability disclosure program (VDP), Then, promote the agencies who are ready and engaged to initiate an incentive-driven program (i.e. a bug bounty).
What is the best model for government to deploy and run a bug bounty program which usually do not have the huge pool of fund?
Casey Ellis: Crawl (start with VDP), then walk (add rewards to critical assets), then run (full bug bounty program)
Are the hackers getting legal advice before engaging in these programs or are you relying on the bug bounty programs to keep them within in the legal lines?
Chloé Messdaghi: Rarely.
Casey Ellis: It’s rare. Normally folks just won’t share what they’ve found if this is a concern. Sometimes people connect with us out of band to clarify, seek assistance, or request guidance.
For those of us new to this, is there a good template for defining scope (etc.) you can share?
Chloé Messdaghi: Recommend checking out disclose.io to have a better idea on how to create better disclosure policies.
How do crowd-sourced bug bounty programs deal with potential GDPR issues like disclosing data during the process of a third-party researcher uncovering a bug?
Casey Ellis: Private programs with transitive consultant authority to the researchers, in the same way a company would approach this with a third party pentest firm.
Are there any legal provisions that protect ethical hackers if they report an exploitable vulnerability to the asset owner?
Casey Ellis: Broadly speaking, if an organization authorizes your testing then you’re most likely to be protected from any recourse, provided you stay within any conditions for that authorization. (Caveat: I am not a lawyer, nor am I your lawyer. You should check with them too.)
Tommy DeVoss: Currently no. If a company has no publicly listed bug bounty/VDP information posted finding and reporting a bug to them can result in them filing charges since it is technically illegal.
Are there any industry associations who can work with legislators in Washington DC to update applicable laws like anti-hacking Computer Fraud and Abuse Act?
Casey Ellis: There are a bunch: disclose.io, The EFF, The Atlantic Council, and the Sivarado Policy Accelerator are a few examples.
If someone wants to start out as a security researcher/hacker are there any resources to help them?
Chloé Messdaghi: First congrats on wanting to become a hacker! I recommend checking out hackingisnotacrime.org to know what orgs have your back and who are some folks who are advocating within the hacking community. If you’re wanting to get into bug bounty, I recommend checking out Bugcrowd University, Hackerone 101, and Portswigger Academy. You will want to know the ins-and-outs of Burp Suite.
How can bug bounty hunters find a community to link up with?
Tommy DeVoss: We have the Bug Bounty Forum on Slack that has about 800 of us – including program owners, employees from platforms and targets etc. There is also “discords” and other Slack groups (I have one called collab with Dawgyg). Twitter is also a major place to link up with other bug hunters and get help when looking for specific help.
Is Bug Bounty lucrative enough to be self employed?
Chloé Messdaghi: If you’re skilled and focused, yes.
Tommy DeVoss: I am self-employed. I made over a half-million dollars last year on bug bounties alone and have made roughly the same so far this year – working less.
What’s your methodology to find server-side request forgery bugs?
Casey Ellis: Check out the videos at Bugcrowd University.
What are the most common successful probing techniques you try when probing an application?
Casey Ellis: Focus is key. Learn how to find what you’re probing for, then probe.
How do I create a bounty program without having hell break loose?
Chloé Messdaghi: Do not go at it alone. Partner up with bug bounty platforms and start with a private program for six months to a year. Once you get a hang of it, then consider starting a public program as well.
Casey Ellis: Chloe’s advice, also: crawl, walk, run. The idea that bug bounty is ALL OR NOTHING is false… You can ease into it, and it is wise to do so.
How do you start a career in bug hunting?
Chloé Messdaghi: If wanting to get into bug bounty, I recommend checking out Bugcrowd University, Hackerone 101, and Portswigger Academy. You will want to know the ins-and-outs of Burp Suite. Get familiar with companies that are listed on disclose.io. Those companies practice bilateral trust, which protects you when you stay in-scope and don’t exploit. Also check out Peter Yaworski’s books on bug bounty and web hacking.
What is the typical timeframe for catching a bug?
Chloé Messdaghi: Sometimes it can take 10 minutes. Sometimes it can take weeks.
Casey Ellis: If you’ve invested in automation, sometimes it can be minutes. But Chloé is correct. Every bug is a snowflake.
Please talk about how to work with lawyers?
Casey Ellis: A good rule of thumb: If the person you’re talking to is bringing a lawyer to the conversation, you should also bring your own.
What percentage of bug bounty hunters rely only on bounty rewards for income? Is being a fulltime independent bug hunter a dream?
Casey Ellis: It’s not a dream, but deciding to do it is just the start. It takes skill and hard work. The payoff is autonomy, getting to learn more about things you love, and networking with an incredible and supportive community.
Tommy DeVoss: It’s not a dream, but it takes a lot of work. I don’t advise anyone to do this full time until you have spent enough time refining your hacking and start making enough to live off comfortably before trying to make the switch.
I just got into private program. Any tips for private vs. public?
Mike Takahashi: Most private programs prohibit talking about their program, so I recommend respecting all terms they spell out. Private programs tend to be less competitive, so if you find a program you really like to hack on, they can be very lucrative.
Casey Ellis: Read the brief. Then, move quickly and focus on the vulnerabilities you’re best at first.
How do you know a bug bounty person won’t turn around and attack you later?
Chloé Messdaghi: How does a bug bounty hunter know you won’t attack them? Same question. This is why bug bounty platforms and disclose.io exists. It tries to protect both parties.
Casey Ellis: In part, the offer of payment is there to encourage people to do the right thing. This is a useful tool to make sure you’re beating the bad actors to the things you need to fix.
Hosted Infrastructure as a Service (IaaS) is now a part of our infrastructure. How do we run a program when we don’t own the entire threat landscape?
Mike Takahashi: Be explicit about which assets are in scope and include any infrastructure you can. For example, misconfigurations in IaaS are common, and I recommend including these in scope when possible.
Casey Ellis: This is an excellent question: Specificity in scope is key. And if you’re erring on the permissive side (e.g. *.domain.com) spending a little time with you [I/P/S]aas vendors to ensure they have a heads up is a good idea. “Absence of third-party permission” is a common feature in Bugcrowd briefs and a clause which is included in the disclose.io open-source vulnerability disclosure program boilerplate, because this is such a common question.
Where do we hire bug bounties? Websites/Forums/etc?
Mike Takahashi: If you build it, they will come. If you host it yourself you’ll want a web page that links from /security and post it to Twitter.
Casey Ellis: Promotion of a program isn’t the hard part, you could promote a brand new bug bounty on TikTok and people would show up. The more difficult and more important part is aligning the program with the needs of your business that is important.
Are there prerequisites to starting a bounty program – and suggestions?
Mike Takahashi: Resolve known vulnerabilities, make sure people are ready to triage and fix reported vulnerabilities, and stakeholders are on board. More considerations on my medium blog.
Casey Ellis: In context of a public bug bounty program:
- Align expectations (externally and internally) before you start
- Decide that you’ll pay the finder if you touch the code
- Agree to crawl, walk, run
What is the best approach to streamlining the validity of bug submissions?
Mike Takahashi: Be specific about what details are required for bug bounty reports such as a proof of concept and explanation of impact.
Casey Ellis: If a class, asset, or impact-type is invalid, say so on your brief. Be proactive. This prevents researchers burning time on stuff that you’re not interested in, and they won’t get paid for? The Bugcrowd VRT is open-source and was created six years ago to help solve this exact problem.
(This Q&A was updated on 9/28 at 8:30 pm ET with additional comments from panelists to more accurately answer questions from attendees.)