Bug Bounty Program for the Web by Raymond Forbes

Transcript

1. Bug Bounty Programs Crowdsourcing Security Raymond Forbes Mozilla Corp

2. Agenda • History of Bounty Programs • Why and How

   to make a program • Bug Bounty Process • Common Bounty Concerns • Interesting bugs found • Mozilla Bounty Results • Conclusion

3. Purpose of this Talk • Introduce you to the concept

   of bug bounty programs • Invite people to participate as much as possible and take advantage of these programs. – Including ours! • Encourage companies who are not currently incorporating a bug bounty into their SDLC to do that.

4. History of Bug Bounty Programs

5. History of Bounty Programs • 1995 – Netscape • 2002

   – iDefense • 2004 – Mozilla Firefox • 2005 – ZDI • 2007 – Pwn2Own 2010 Google Chromium Deutsche Post-Ebrief Google Web Mozilla Web Barracuda 2011 Hex Rays Facebook 2012 Paypal

6. Types of Programs Central Clearing House •iDefense •ZDI Tipping Point

   Pre-approved Teams/Competition •Pwn2Own •Deutsche post E-brief Open to all – Reported direct to software maker •Netscape •Mozilla Firefox •Google Chromium •Google Web •Mozilla Web •Barracuda •Hex Rays •Facebook •Paypal

7. Client Programs • Mozilla Corp • $3000 • Barracuda Labs

   – $50 to $3133.7 • Qmail – $1000 • Samsung TV – $1000 and more • Hex-Rays – $3000

8. Programs for the Web • Mozilla Web Bounty • $500

   - $3000 • Google Web Bounty • $500 - $3137 • Facebook Security Bounty • Typically $500, paid up to $5000

9. Make our own bounty program

10. Bounty Programs – Why? • User & user data safety

    is job #1. • Productive relationship with community. • Work directly with researchers. • Consistent security at scale is hard • People are doing it now without notifying us. • The gray market is a big deal

11. Time to launch a bug bounty program! Bug bounties are

    an enhancement, not a substitute for any portion of a secure SDLC.

12. Bounty Programs - Preparation – Gain developer and team lead

    support. – Check your code. – Define clear reporting process. – Define scope and types of issues. – Build team to respond to reports. – Set SLAs for responses. – Announce program. – Root cause analysis. – Learn and adjust.

13. Bounty Preparations – Web Specific • Goal: Protect users •

    Define critical issues for your organization – XSS, CSRF, open redirects? • Define scope of program – Bugzilla.mozilla.org – Addons.mozilla.org – Download.mozilla.org – Lots more • Will your scope include 3rd party frameworks? – Wordpress, Rails, Django, Python, Drupal

14. Bug Bounty Process

15. Bug Bounty Process • Somebody reports vulnerability – Email to

    [email protected] – Bug created in bugzilla.mozilla.org • If a bug was not made by the reporter, one is created by the security team – Set the sec bounty flag to ? Will start this process. – Secure, only readable by security group and reporter. – All communication from devs/security group/reporter etc. happens in the bug

16. Bug Bounty Process • Bug Bounty Committee meets and discusses

    all bugs that are nominated for the bounty – At least 3 people meet. – Each bug is evaluated for risk – Web bugs risk is partly based on what sites/application the vulnerability was found. – Bugs must be at least HIGH risk to be eligible for a bounty. – Can’t be a duplicate – All recent builds eligible. (e.g. nightly, aurora, etc)

17. Bug Bounty Process • Web bug specifics – HIGH risk

    or above – Specific sites spelled out in the FAQ • Possible to pay out for others if serious enough – No duplicates

18. Common Bounty Concerns

19. Bounty Concerns – Common concerns with web bounty programs •

    Encourage attackers • Too expensive • Veil of cover for attackers • Bounty program duplicates internal security work • Can’t compete with the black market.

20. Bounty Concerns – Encourage attackers – Bad guys already attacking

    you. – Without bounty program, good guys afraid to test or report. – Bounty program enables participants that will help you.

21. Bounty Concerns – Too Expensive – Very high value –

    Compare bounty payout with equivalent 3rd party testing. – Provides continual testing. – Use individual bugs to identify root cause flaws. – What percentage of profit spent on security?

22. Bounty Concerns – Veil of cover for attackers – Goal

    is to identify flaws, not identify bad guys. – One possible deployment: • Full security controls and active blocking in prod • Setup public stage for testing with dummy data. • Configure production to actively blocks attackers • Stage area could be next revision of code for prod.

23. Bounty Concerns – Duplicates internal security work – You don’t

    know what you don’t know. – Identifies process breakdowns. – Identifies areas for training in SDLC. – Another tactic to protect users and critical data.

24. Bounty Concerns – Can’t Compete with the Black Market –

    Bounty programs and black market target different audiences. – Some people are bad, but many people are good. – Many don’t want hassle or questionable ethics/legalities of black markets.

25. Firefox Bug Bounty Results

26. Firefox Bounty Results

27. Firefox Bounty Results

28. Firefox Bounty Results

29. Firefox Bounty Results

30. What are people submitting? • Anything found with a fuzzer

    – Heap overflows – Use after free vulnerabilities – Stack overflows • Cross-origin or framing failures • Unauthorized access to Chrome

31. Mozilla Web Bounty Results

32. Mozilla Web Bounty – Submission Timeline

33. Mozilla Web Bounty – Types of Issues

34. Mozilla Web Bounty – Bugs Reported

35. Mozilla Web Bounty – The Bounties

36. Mozilla Web Bounty – The Reporters • Countries of Origin

    – Europe – 50% • Germany – 20% • France – 20% • UK – 12% • Finland – 12% – United States – 20% • Bay Area – 50% • Rest of US – 50% – India – 10% – Russia – 5%

37. What are people submitting? • Typical web vulnerabilities – XSS

    – CSRF • Be prepared for the low level vulnerabilities – Cookies not properly secured – Frameworks not up to latest. • Once the easy ones are out of the way there is opportunity for more interesting bugs to be found.

38. Mozilla Bounty – Benefits –Engage community. –Produce many high value

    bugs. –Bounty is not purchasing silence. –Security at a huge scope. –Identifies clever attacks and edge cases.

39. I found a vulnerability! Now what? • Hold on to

    it. – Use it for nefarious deeds and keep it away from the public • Release it to the web, full disclosure – Increase your street reputation – Not something that happens as much anymore. • Sell to the gray market – Big cash payout – Negative impact on rep • Send to vendor (hopefully through bug bounty program) – Make some money – These bugs go public for the most part so helps with rep

40. Why not the gray market? • Negative impact on reputation

    – Companies that do not deal with the gray market are hesitant to deal with people who have. • Requirements higher – Weaponization needed for payout. Bounties only require the vulnerability • Negative impact on the rest of us – These vulns are never reported to the vendor. – It’s possible others have found the vuln as well.

41. What Next? • http://www.squarefree.com/burningedge/ • I am a super awesome

    bug finder, but I want to contribute more. – That vuln you found? Maybe try your hand at making a patch for it. – Resources to help with this • https://wiki.mozilla.org/Security/Mentorship • Irc.mozilla.org #security

42. Conclusion

43. Conclusion Bounty Program works great for Mozilla. Recommend exploring how

    this may work for you. Leverage lessons learned and evaluate risk/benefit.

44. Questions? @gh_rooster http://blog.mozilla.org/security