Embracing The Crowd Step Two
We all understand the term crowd sourcing. A bug bounty is just that, a company owns a product / application and invites the research community (crowd) to hunt down security issues within its code and rewards them cash.
The real difference in a bug bounty is the crowd. The crowd is a bunch of individuals working on an individual basis with an individual goal - find as many bugs as I can to make the most money.
More traditional crowd sourced projects such as those run by for example, Kickstarter, has a "community" goal. People donate money together to reach a common goal. Some may argue that the "bug bounty" common goal is to make the internet a much safer place. All sounds good in lala land, but it is not. Researchers ultimately do this for cash rewards, resume reference points, bragging rights (halls of fame) or points on a leaderboard, thats the plain truth of it all.
Due to cash being available for security vulnerability discoveries, bug bounties remain very competitive amoung the security researchers ensuring they remain a crowd of individuals.
To address this natural behavior, and a first for ALL bug bounty platforms and programs - Bug Bounty HQ has created Collaborative Reporting.
Collaborative reporting has many benefits with the obvious ones being:
- 50/50 Split on all awarded points and cash awards automatically handled by the system protecting both parties
- Excellent training tool - A researcher may have come across a potential attack, but is lacking in skill to exploit it and requires assistance
- Increase in vulnerability submissions.
- Researchers become more successful. For those accepting the invites and filing a bug, and those inviting researchers and collectively filing a bug.
- One step closer to emulating an office environment. If you consider a traditional pentest firm, the pentester can also draw on knowledge from other consultants in their office when they become stuck on a particular issue. Collaborative Reporting is Bug Bounty HQ's answer
- Higher quality reporting. Its is expected that reporting will be of a much higher standard as the bug / POC would have been worked on by two individuals
Collaborative Reporting In Action
Mack is a researcher and has come across what he believes to be a potential target for an XML External Entity Attack. He knows Neet is good with XXE, so Mack wants to collaborate with Neet on the potential issue.
Mack Logged In
Mack visits Neets profile page
Mack selects Collaborations
Mack chooses the category of bug and relevant bug bounty program
Mack sends the invitation to Neet
At this point, Mack can also invite a few other researchers if he so wishes in the hope that someone accepts to collaborate. Visiting collaboration details, shows all Macks invite requests as well as any incoming invite requests
We are now logged in to Heets session, and Heet sees the invitation within his collaboration details
Neet chooses to accept Mack's request to collaborate on a potential XXE report
Going back to Macks session, he see's that Neet has accepted his invite request. At this point, Mack could have asked another 6 researchers to collaborate and if they all have accepted he now has to chose just one researcher to work with and declince (cancel) the other outstanding invitations
Invite now confirmed by Mack
Going back to Heets' session, he sees Mack has confirmed and now they are able to begin collaborating on the potential XXE vulnerability
Neet opens the bug to begin editing and notices no content has yet been added by Mack. Using the internal comment system, Neet sends Mack a quick message
Now Neet has some information about the issue, he gets to work to determine if the area is vulnerable and if so create a working POC. He finds the XXE is valid and creates the report and asks Mack if he understands how the attack occured and if happy with the write up, go ahead and submit the report. NOTE, when Neet is finished writing his report he saves it as a Draft.
Mack is ecstatic that Neet got a working XXE attack. It is likely this will pay a few thousand dollars of which they will split. Had they not collaborated, none of them would be getting anything. Having read over the report, Mack is a little more wiser with XXE exploitation and is happy with the write up. Mack now submits the report to the bug bounty program for review
To check on the status of their collaborative bug report, they visit collaborative bugs
Selecting the issue
Expanding Internal Comments (these remain private between the collaborators and are not viewable by the bug bounty program administrator)
Looking at the Bug Reporters, we see both are listed
Once the bug has been triaged (verified as a genuine and valid in-scope issue), any points awarded for the bug report and the priority classification are automatically split between the researchers. After being fixed, the program admin decides to award $5,000 for this issue to the researchers. The system automatically awards Mack and Neet $2,500 and 25 award points ($100 = 1 point) each.
Through the collaborative reporting feature, Mack and Neet are winners, and the program owner just closed a great vulnerability making their systems more secure.
Comming next to Bug Bounty HQ - Teams. This is currently under development and hopefully to be released in January 2016