Bug Bounties

Hanno Böck - https://hboeck.de/

I've been doing security research for several years and have often participated in Bug Bounties, but my experiences were very mixed

Earning money with Bug Bounties is not easy

The way most bug bounty plattforms work today is hostile to researchers and not good for security

• A security researcher finds a privilege escalation vulnerability in Steam on Windows
• Local attacks out of scope in Valve's bug bounty program
• Hackerone rejects report and tries to stop researcher from publishing it
• The researcher got banned from Valve's bug bounty program

Steam Windows Client Local Privilege Escalation 0day

This incident highlights several problems common with bug bounty programs

Scope

Programs have arbitrary rules what counts as a vulnerability

Attackers don't care about your scope

Hostile to Transparency and Disclosure

It's quite common that bug bounty plattforms reject vulnerability reports as invalid *and* at the same time ask researchers to stay silent about them

There are more problems

Demanding proof of concept

This just isn't very efficient - creating a PoC is often vastly more work than finding a bug and attacks often use exploit chains

Summary

Bug bounty programs often feel like they're optimized to reject as many reports as possible, not to improve security and create a healthy relationship between researchers and companies