RDs and Bug Bounties

Are you better off killing insects for your bug bounties?

February 14, 2019, 8:53 PM

A bug bounty is a deal offered by companies in order to tempt security-versed individuals into breaking into their systems with various exploits and vulnerabilities.

The FireBounty main page

A good range of large companies actually do offer these bounties, there even exists some aggregation websites that will list a bunch of currently available bounties, ranging from $50 to $50,000, or some other questionable websites that will buy your 0 days for up to $2,000,000

Zerodium Mobile 0day payouts

On the flip side, some bug bounty programs exists, such as the Open Bug Bounty community, that relies on people to post whatever disclosure they want, and a good will system encouraging the affected website to pay the reporter.

The open bug bounty form

Ever since the release of the first bug bounty program in 1995, for the Netscape Navigator browser, there has been a generally positive outcome from these programs. Even the US Government’s Pentagon have their own version of a bug bounty,and in 1 month from April 18 to May 12, 138 unique security flaws were identified, and $71,200 was paid out.

The success of Hack The Pentagon

The only reason these bug bounties are successful is because they usually include a Reasonable Disclosure program.
An RD is an agreement between an exploiter and a vendor that the exploit is targeted to in where that vulnerability is only disclosed after a period of time that allows for that vulnerability to be patched.

A Reasonable Disclosure report format can be used for my Problem Statement in an attempt to emulate the documentation that security researcher or a whitehat will need to write up for any piece of work they may be doing.

Sources:

https://www.mcafee.com/enterprise/en-au/threat-center/advanced-threat-research/disclosure.html
https://www.cert.gov.au/critical-infrastructure-big-business/report-incident/vulnerability-disclosure-policy