Bug Bounty Program for the Web by Raymond Forbes

Bug Bounty Programs
Crowdsourcing Security
Raymond Forbes
Mozilla Corp

View Slide

Agenda
• History of Bounty Programs
• Why and How to make a program
• Bug Bounty Process
• Common Bounty Concerns
• Interesting bugs found
• Mozilla Bounty Results
• Conclusion

View Slide

Purpose of this Talk
• Introduce you to the concept of bug bounty
programs
• Invite people to participate as much as
possible and take advantage of these
programs.
– Including ours!
• Encourage companies who are not currently
incorporating a bug bounty into their SDLC to
do that.

View Slide

History of Bug Bounty Programs

View Slide

History of Bounty Programs
• 1995 – Netscape
• 2002 – iDefense
• 2004 – Mozilla Firefox
• 2005 – ZDI
• 2007 – Pwn2Own
2010
Google Chromium
Deutsche Post-Ebrief
Google Web
Mozilla Web
Barracuda
2011
Hex Rays
Facebook
2012
Paypal

View Slide

Types of Programs
Central Clearing House
•iDefense
•ZDI Tipping Point
Pre-approved Teams/Competition
•Pwn2Own
•Deutsche post E-brief
Open to all – Reported direct to software
maker
•Netscape
•Mozilla Firefox
•Google Chromium
•Google Web
•Mozilla Web
•Barracuda
•Hex Rays
•Facebook
•Paypal

View Slide

Client Programs
• Mozilla Corp
• $3000
• Barracuda Labs
– $50 to $3133.7
• Qmail
– $1000
• Samsung TV
– $1000 and more
• Hex-Rays
– $3000

View Slide

Programs for the Web
• Mozilla Web Bounty
• $500 - $3000
• Google Web Bounty
• $500 - $3137
• Facebook Security Bounty
• Typically $500, paid up to
$5000

View Slide

Make our own bounty program

View Slide

Bounty Programs – Why?
• User & user data safety is job #1.
• Productive relationship with community.
• Work directly with researchers.
• Consistent security at scale is hard
• People are doing it now without notifying us.
• The gray market is a big deal

View Slide

Time to launch a bug bounty program!
Bug bounties are an enhancement, not a substitute
for any portion of a secure SDLC.

View Slide

Bounty Programs - Preparation
– Gain developer and team lead support.
– Check your code.
– Define clear reporting process.
– Define scope and types of issues.
– Build team to respond to reports.
– Set SLAs for responses.
– Announce program.
– Root cause analysis.
– Learn and adjust.

View Slide

Bounty Preparations – Web Specific
• Goal: Protect users
• Define critical issues for your organization
– XSS, CSRF, open redirects?
• Define scope of program
– Bugzilla.mozilla.org
– Addons.mozilla.org
– Download.mozilla.org
– Lots more
• Will your scope include 3rd party frameworks?
– Wordpress, Rails, Django, Python, Drupal

View Slide

Bug Bounty Process

View Slide

Bug Bounty Process
• Somebody reports vulnerability
– Email to [email protected]
– Bug created in bugzilla.mozilla.org
• If a bug was not made by the reporter, one is
created by the security team
– Set the sec bounty flag to ? Will start this process.
– Secure, only readable by security group and reporter.
– All communication from devs/security group/reporter
etc. happens in the bug

View Slide

Bug Bounty Process
• Bug Bounty Committee meets and discusses all
bugs that are nominated for the bounty
– At least 3 people meet.
– Each bug is evaluated for risk
– Web bugs risk is partly based on what
sites/application the vulnerability was found.
– Bugs must be at least HIGH risk to be eligible for a
bounty.
– Can’t be a duplicate
– All recent builds eligible. (e.g. nightly, aurora, etc)

View Slide

Bug Bounty Process
• Web bug specifics
– HIGH risk or above
– Specific sites spelled out in the FAQ
• Possible to pay out for others if serious enough
– No duplicates

View Slide

Common Bounty Concerns

View Slide

Bounty Concerns
– Common concerns with web bounty programs
• Encourage attackers
• Too expensive
• Veil of cover for attackers
• Bounty program duplicates internal security work
• Can’t compete with the black market.

View Slide

Bounty Concerns – Encourage attackers
– Bad guys already attacking you.
– Without bounty program, good guys afraid to test or report.
– Bounty program enables participants that will help you.

View Slide

Bounty Concerns – Too Expensive
– Very high value
– Compare bounty payout with equivalent 3rd party testing.
– Provides continual testing.
– Use individual bugs to identify root cause flaws.
– What percentage of profit spent on security?

View Slide

Bounty Concerns – Veil of cover for attackers
– Goal is to identify flaws, not identify bad guys.
– One possible deployment:
• Full security controls and active blocking in prod
• Setup public stage for testing with dummy data.
• Configure production to actively blocks attackers
• Stage area could be next revision of code for prod.

View Slide

Bounty Concerns – Duplicates internal security work
– You don’t know what you don’t know.
– Identifies process breakdowns.
– Identifies areas for training in SDLC.
– Another tactic to protect users and critical data.

View Slide

Bounty Concerns – Can’t Compete with the Black Market
– Bounty programs and black market target different audiences.
– Some people are bad, but many people are good.
– Many don’t want hassle or questionable ethics/legalities of black markets.

View Slide

Firefox Bug Bounty Results

View Slide

Firefox Bounty Results

View Slide

What are people submitting?
• Anything found with a fuzzer
– Heap overflows
– Use after free vulnerabilities
– Stack overflows
• Cross-origin or framing failures
• Unauthorized access to Chrome

View Slide

Mozilla Web Bounty Results

View Slide

Mozilla Web Bounty – Submission Timeline

View Slide

Mozilla Web Bounty – Types of Issues

View Slide

Mozilla Web Bounty – Bugs Reported

View Slide

Mozilla Web Bounty – The Bounties

View Slide

Mozilla Web Bounty – The Reporters
• Countries of Origin
– Europe – 50%
• Germany – 20%
• France – 20%
• UK – 12%
• Finland – 12%
– United States – 20%
• Bay Area – 50%
• Rest of US – 50%
– India – 10%
– Russia – 5%

View Slide

What are people submitting?
• Typical web vulnerabilities
– XSS
– CSRF
• Be prepared for the low level vulnerabilities
– Cookies not properly secured
– Frameworks not up to latest.
• Once the easy ones are out of the way there is
opportunity for more interesting bugs to be
found.

View Slide

Mozilla Bounty – Benefits
–Engage community.
–Produce many high value bugs.
–Bounty is not purchasing silence.
–Security at a huge scope.
–Identifies clever attacks and edge cases.

View Slide

I found a vulnerability! Now what?
• Hold on to it.
– Use it for nefarious deeds and keep it away from the public
• Release it to the web, full disclosure
– Increase your street reputation
– Not something that happens as much anymore.
• Sell to the gray market
– Big cash payout
– Negative impact on rep
• Send to vendor (hopefully through bug bounty program)
– Make some money
– These bugs go public for the most part so helps with rep

View Slide

Why not the gray market?
• Negative impact on reputation
– Companies that do not deal with the gray market
are hesitant to deal with people who have.
• Requirements higher
– Weaponization needed for payout. Bounties only
require the vulnerability
• Negative impact on the rest of us
– These vulns are never reported to the vendor.
– It’s possible others have found the vuln as well.

View Slide

What Next?
• http://www.squarefree.com/burningedge/
• I am a super awesome bug finder, but I want
to contribute more.
– That vuln you found? Maybe try your hand at
making a patch for it.
– Resources to help with this
• https://wiki.mozilla.org/Security/Mentorship
• Irc.mozilla.org #security

View Slide

Conclusion

View Slide

Conclusion
Bounty Program works great for Mozilla.
Recommend exploring how this may work for you.
Leverage lessons learned and evaluate risk/benefit.

View Slide

Questions?
@gh_rooster
http://blog.mozilla.org/security

View Slide

Bug Bounty Program for the Web by Raymond Forbes

Bug Bounty Program for the Web by Raymond Forbes

OWASP Montréal

More Decks by OWASP Montréal

Other Decks in Technology

Featured

Transcript