Why bug bounty hunters love the thrill of the chase

Bounty hunters in the law enforcement field are often thought of as these long haired, wild men who will do whatever it takes to track down the person who has run afoul of the law. Bug bounty hunters perhaps have the same passion for tracking down code-based flaws, but you would be hard pressed to pick them out of a lineup.

Instead of tracking down perpetrators, bug bounty hunters are tracking down any vulnerabilities in companies' sites.

With the headlines of hackers finding vulnerabilities oh so familiar, bug bounty hunters have become a necessity. Just last month Google paid out $75,000 in bug bounties to fix 159 flaws in Chrome. Even Microsoft added a bug bounty program in September, offering to pay the minimum of $500 for bugs found.

While money is a nice incentive (and the bug bounty hunters won't turn any of it down), they are happy with a pat on the back and some recognition for their work. It's a way to work legally on a site without fear of being served with a lawsuit.

"It's not often that you get to hack into live websites without the threat of the law," said Jonathan Singer, a security engineer in the security consulting business. "I already try to contact companies if it is safe to do so. Responsible disclosure is the best policy, but more places needed to embrace it."

A bug bounty hunter who gave only his handle, Bitquark, said he enjoys taking advantage of routes through a system which the designer may not have intended or planned for.

"Spending hours picking away at something before finally landing a bug is enormously gratifying."

The staff information security engineer at Tesla Motors found success in the bug bounty world when he found an SQL injection flaw in Facebook. This find netted him a $15,000 reward. The flaw led to remote code execution in the Oculus developer portal.

The engineer, in his 30's, said he might pick at a project from time to time, but there are others that are timed that might require a more concerted effort.

Singer has been a bug bounty hunter for just over a year.

"It is still a hobby for me, kind of like a weekend warrior gig," he said. "My 9-to-5 is already spent with compliance and policy, so this is kind of a way to unwind, see what challenges exist and maybe get some swag or cash."

On a site like Bugcrowd, you can find a list of the open bug bounties along with a rundown of some of the contributors. Companies shown on Bugcrowd include EMC, Google, IBM, Microsoft and Yahoo. Each layout in minute detail what is open to scrutiny on their sites and what are available for rewards. For example, Google lists a $20,000 reward for anyone who can find remote code execution of their accounts.google.com.

For Sebastian Neef, Tim Philipp Schäfers and Julien Ahrens, they collected a five-figure reward for their finding a path traversal vulnerability on PayPal's main domain. In doing so, they were able to download any file from the server.

Neef and Philipp Schäfers founded Internetwach.org in 2012, with Ahrens joining them a year later. When asked if they juggled a family while going to college or holding down a job along with being a bug bounty hunter, they said they are not married "but sometimes a girlfriend makes life more time consuming and we all know family/ girlfriend is more important than bug hunting."

Neef (21) studies computer science at the technical university in Berlin, while Philip Schäfers (19) also studies economy and computer science at Bielefeld. Ahrens is the old man of the group at the age of 29 and works at Secunet Security Networks AG. They got into the bug bounty profession as a side job when they started hearing about the hacker group Anonymous.

"Naturally the media tried to defame all kind of hackers as criminals. It was clear that small mistakes can lead to big data leaks," they said.

The threesome advise anyone who wants to get into the business to be prepared to think outside of the box and be creative in your approach. They gave the following list of attributes a bug bounty hunter should have:

  • Creative: Try to find new ways to bypass/combine/exploit specific situations, to think of new attack-vectors
  • Thinking like a developer: The person has to empathize with the developer who wrote the application. Only that way you'll be able to think about edge-cases or understand the application's work/data-flow.
  • Thinking like a bad boy: Try to push the limit. Don't stop before you're root on the target machine
  • Polite/calm: It's not always easy to explain a complex security issue to a developer. A very important key to success is the possibility to communicate your thoughts properly, as you want the developer to fix your security findings.
  • Realistic: Always consider the real impact and the resulting risk for the business.
  • Responsible: Discovering a critical bug usually puts a huge burden on your shoulders. Act accordingly.

"Having a look at the security community, we can tell that there are a lot of top-notch bug hunters who fulfill nearly all of the above points. On the other hand, there are 'unskilled' or new bug hunters who try to make some quick bucks by using one-click-tools and sometimes go as far as threatening the business owners. We refuse to call these people 'bug hunters'," they said.

They enjoy bug bounty hunting because it gives them the freedom to break things whenever they want. "By submitting useful reports the chances are good that more and more companies will get the idea about responsible disclosure," they said in calling bug bounty hunting the ultimate in crowdsourcing.

The common mistakes that these bug bounty hunters find usually involve basic configuration mistakes or missing best practice issues. When going for more severe bugs, standards like Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF) are not uncommon.

Most development frameworks take care of basic XSS and CSRF issues. They have noticed a decrease in SQL Injection bugs and that can be underpinned by ORMs and prepared statements which do a good job preventing SQL profile websites and/or tools.

"Security is about practice. Try and try again, and keep trying, and keep learning new things," Singer added. "I see some researchers jump in headfirst and try to hack everything in sight. Best of luck to them, but in reality it is not that simple."

The bug bounty hunters cautioned about going it alone to find vulnerabilities before getting approval from the site owner. Sites like Bugcrowd can help set up the legal documentation to protect the bounty hunters.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGoogleMicrosoftsoftwaredata protection

More about CreativeFacebookGoogleMicrosoftPayPalSecunet Security NetworksYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ryan Francis

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place