Bug Bounty Program for the Web by Raymond Forbes

Bug Bounty Program for the Web by Raymond Forbes

MAIN PRESENTER: Raymond Forbes, Web Security Engineer, Mozilla Corporation

ABSTRACT: This talk will look at the Mozilla bug bounty program and how it has helped with web security. We will be looking at the history of the program, how it is set up, some successes and common concerns.
BIO: Raymond has been a web security engineer with Mozilla since 2011, and is visiting OWASP Vancouver chapter from Seattle, WA.

WHEN: August 7th 2013

WHERE: Live streaming from Mozilla Vancouver

WEBCAST: http://www.youtube.com/watch?v=VZHp5Ssi67U

SPONSOR: Chapter partner OWASP Vancouver


OWASP Montréal

August 07, 2013


  1. Bug Bounty Programs Crowdsourcing Security Raymond Forbes Mozilla Corp

  2. Agenda • History of Bounty Programs • Why and How

    to make a program • Bug Bounty Process • Common Bounty Concerns • Interesting bugs found • Mozilla Bounty Results • Conclusion
  3. Purpose of this Talk • Introduce you to the concept

    of bug bounty programs • Invite people to participate as much as possible and take advantage of these programs. – Including ours! • Encourage companies who are not currently incorporating a bug bounty into their SDLC to do that.
  4. History of Bug Bounty Programs

  5. History of Bounty Programs • 1995 – Netscape • 2002

    – iDefense • 2004 – Mozilla Firefox • 2005 – ZDI • 2007 – Pwn2Own 2010 Google Chromium Deutsche Post-Ebrief Google Web Mozilla Web Barracuda 2011 Hex Rays Facebook 2012 Paypal
  6. Types of Programs Central Clearing House •iDefense •ZDI Tipping Point

    Pre-approved Teams/Competition •Pwn2Own •Deutsche post E-brief Open to all – Reported direct to software maker •Netscape •Mozilla Firefox •Google Chromium •Google Web •Mozilla Web •Barracuda •Hex Rays •Facebook •Paypal
  7. Client Programs • Mozilla Corp • $3000 • Barracuda Labs

    – $50 to $3133.7 • Qmail – $1000 • Samsung TV – $1000 and more • Hex-Rays – $3000
  8. Programs for the Web • Mozilla Web Bounty • $500

    - $3000 • Google Web Bounty • $500 - $3137 • Facebook Security Bounty • Typically $500, paid up to $5000
  9. Make our own bounty program

  10. Bounty Programs – Why? • User & user data safety

    is job #1. • Productive relationship with community. • Work directly with researchers. • Consistent security at scale is hard • People are doing it now without notifying us. • The gray market is a big deal
  11. Time to launch a bug bounty program! Bug bounties are

    an enhancement, not a substitute for any portion of a secure SDLC.
  12. Bounty Programs - Preparation – Gain developer and team lead

    support. – Check your code. – Define clear reporting process. – Define scope and types of issues. – Build team to respond to reports. – Set SLAs for responses. – Announce program. – Root cause analysis. – Learn and adjust.
  13. Bounty Preparations – Web Specific • Goal: Protect users •

    Define critical issues for your organization – XSS, CSRF, open redirects? • Define scope of program – Bugzilla.mozilla.org – Addons.mozilla.org – Download.mozilla.org – Lots more • Will your scope include 3rd party frameworks? – Wordpress, Rails, Django, Python, Drupal
  14. Bug Bounty Process

  15. Bug Bounty Process • Somebody reports vulnerability – Email to

    security@mozilla.org – Bug created in bugzilla.mozilla.org • If a bug was not made by the reporter, one is created by the security team – Set the sec bounty flag to ? Will start this process. – Secure, only readable by security group and reporter. – All communication from devs/security group/reporter etc. happens in the bug
  16. Bug Bounty Process • Bug Bounty Committee meets and discusses

    all bugs that are nominated for the bounty – At least 3 people meet. – Each bug is evaluated for risk – Web bugs risk is partly based on what sites/application the vulnerability was found. – Bugs must be at least HIGH risk to be eligible for a bounty. – Can’t be a duplicate – All recent builds eligible. (e.g. nightly, aurora, etc)
  17. Bug Bounty Process • Web bug specifics – HIGH risk

    or above – Specific sites spelled out in the FAQ • Possible to pay out for others if serious enough – No duplicates
  18. Common Bounty Concerns

  19. Bounty Concerns – Common concerns with web bounty programs •

    Encourage attackers • Too expensive • Veil of cover for attackers • Bounty program duplicates internal security work • Can’t compete with the black market.
  20. Bounty Concerns – Encourage attackers – Bad guys already attacking

    you. – Without bounty program, good guys afraid to test or report. – Bounty program enables participants that will help you.
  21. Bounty Concerns – Too Expensive – Very high value –

    Compare bounty payout with equivalent 3rd party testing. – Provides continual testing. – Use individual bugs to identify root cause flaws. – What percentage of profit spent on security?
  22. Bounty Concerns – Veil of cover for attackers – Goal

    is to identify flaws, not identify bad guys. – One possible deployment: • Full security controls and active blocking in prod • Setup public stage for testing with dummy data. • Configure production to actively blocks attackers • Stage area could be next revision of code for prod.
  23. Bounty Concerns – Duplicates internal security work – You don’t

    know what you don’t know. – Identifies process breakdowns. – Identifies areas for training in SDLC. – Another tactic to protect users and critical data.
  24. Bounty Concerns – Can’t Compete with the Black Market –

    Bounty programs and black market target different audiences. – Some people are bad, but many people are good. – Many don’t want hassle or questionable ethics/legalities of black markets.
  25. Firefox Bug Bounty Results

  26. Firefox Bounty Results

  27. Firefox Bounty Results

  28. Firefox Bounty Results

  29. Firefox Bounty Results

  30. What are people submitting? • Anything found with a fuzzer

    – Heap overflows – Use after free vulnerabilities – Stack overflows • Cross-origin or framing failures • Unauthorized access to Chrome
  31. Mozilla Web Bounty Results

  32. Mozilla Web Bounty – Submission Timeline

  33. Mozilla Web Bounty – Types of Issues

  34. Mozilla Web Bounty – Bugs Reported

  35. Mozilla Web Bounty – The Bounties

  36. Mozilla Web Bounty – The Reporters • Countries of Origin

    – Europe – 50% • Germany – 20% • France – 20% • UK – 12% • Finland – 12% – United States – 20% • Bay Area – 50% • Rest of US – 50% – India – 10% – Russia – 5%
  37. What are people submitting? • Typical web vulnerabilities – XSS

    – CSRF • Be prepared for the low level vulnerabilities – Cookies not properly secured – Frameworks not up to latest. • Once the easy ones are out of the way there is opportunity for more interesting bugs to be found.
  38. Mozilla Bounty – Benefits –Engage community. –Produce many high value

    bugs. –Bounty is not purchasing silence. –Security at a huge scope. –Identifies clever attacks and edge cases.
  39. I found a vulnerability! Now what? • Hold on to

    it. – Use it for nefarious deeds and keep it away from the public • Release it to the web, full disclosure – Increase your street reputation – Not something that happens as much anymore. • Sell to the gray market – Big cash payout – Negative impact on rep • Send to vendor (hopefully through bug bounty program) – Make some money – These bugs go public for the most part so helps with rep
  40. Why not the gray market? • Negative impact on reputation

    – Companies that do not deal with the gray market are hesitant to deal with people who have. • Requirements higher – Weaponization needed for payout. Bounties only require the vulnerability • Negative impact on the rest of us – These vulns are never reported to the vendor. – It’s possible others have found the vuln as well.
  41. What Next? • http://www.squarefree.com/burningedge/ • I am a super awesome

    bug finder, but I want to contribute more. – That vuln you found? Maybe try your hand at making a patch for it. – Resources to help with this • https://wiki.mozilla.org/Security/Mentorship • Irc.mozilla.org #security
  42. Conclusion

  43. Conclusion Bounty Program works great for Mozilla. Recommend exploring how

    this may work for you. Leverage lessons learned and evaluate risk/benefit.
  44. Questions? @gh_rooster http://blog.mozilla.org/security