<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

Cadre Blog

Never miss the latest in IT Security! Subscribe Now.

Winning Bug Wars: From Volkswagen Beetles to Million Dollar Bug Bounties

Posted by Cadre on Aug 27, 2020 9:44:27 AM

Bugs have been wreaking havoc in humanity long before the rise of information technology, but the bugs we know today have hefty bounties, as companies tap the global community of ethical hackers to scour code for security vulnerabilities before cybercriminals can exploit them. Read on to discover which bug bounty program may fit your cybersecurity strategy. 

An Eclectic History of the “Bug”

Bugs have been exploiting our fears and wreaking havoc since approximately circa 1395 when the Middle English term ‘bugge’ was used to describe a source of fear, dread, or an imaginary terror.i

One of the earliest adoptions of the word “bug” in reference to technology was Thomas Edison’s use of it to refer to a technological glitch in his 1870’s quadruplex telegraph machine, which needed a “bug trap” to work properly.ii

Yet the world’s “first actual case of bug being found" was recorded by computer scientist Grace Hopper in 1947, when her Harvard colleagues found a moth literally trapped in the relay of a Mark II computer, causing issues with the computer’s hardware.iii

The “Bug" has become a regular part of the IT lexicon and it continues to be a persistent headache for companies, software developers and users. Bugs simply refer to errors, faults, or flaws in any computer program or a hardware system.

While some bugs cause subtle effects that are easily resolved, other bugs can trigger errors that seriously compromise a system's functionality, produce ripples that cause catastrophic events, or introduce security vulnerabilities that can be exploited by malicious actors.

Here are some common security vulnerability types:

1. Cross-site Scripting
2. Improper Authentication
3. Information Disclosure
4. Privilege Escalation
5. SQL Injection
6. Code Injection
7. Server-Side Request Forgery
8. Insecure Direct Object Reference
9. Improper Access Control
10. Cross-Site Request Forgery
Debugging the Network Security Ecosystem

“Bugges” are no longer an imaginary terror. In fact, bugs mean serious business – for both malicious actors and ethical hackers alike.

Businesses understand that while they leverage advanced computing technologies to process more data than ever before, cybercriminals work equally as swift to exploit vulnerabilities in those systems and data.

Consequently, businesses are leveraging bug bounty programs to beat bad actors to the punch. They offer recognition and financial compensation to members of the global community of ethical hackers who identify and report bugs, especially those pertaining to security vulnerabilities, before they can be exploited by cybercriminals. 

The first known bug bounty program was initiated in 1983 by Hunter & Ready. They offered a Volkswagen Beetle (a.k.a. Bug) to anyone who found and reported a bug in their Versatile Real-Time Executive operating system.iv

Today, organizations from startups to global conglomerates, and organizations across industries, including several U.S. government agencies that once threatened ethical hackers with legal recourse, are now embracing ethical hackers and bug bounty programs as part of a mature, proactive cybersecurity strategy.

Which bug bounty program fits your cybersecurity strategy

There are many reputable bug bounty platforms dedicated to connecting organizations and bug bounty hunters, including HackerOne, BugCrowd, SafeHats, Synack, etc. But what exactly are bug bounty programs, and which one works best for your organization?

Here are three most common bug bounty programs:

1. Time-Bound Bug Bounty Programs are open to all hackers. They allow hackers to focus on specific attack surfaces for a limited time. It’s a great way for you to test the benefits of broader bug bounty programs without stretching your financial resources. It can be used to replace or augment your existing penetration tests and maximize your pen test budget.

2. Private Bug Bounty Programs are exclusively known and available to only those hackers you invite based on experience, skills, location, etc. Security teams can work with smaller groups of hackers to identify vulnerabilities as they optimize internal security processes. It’s a great way to sample the volume and types of vulnerability reports you might expect to receive in a broader public bug bounty program. Every report, participant, bounty, and detail of the program is private.

3. Public Bug Bounty Programs are open to all hackers. They maximize your program’s visibility and produce optimal results because they are open to the widest range of hacker experience, skills, location, etc. You can show your customers the effort you’re investing in security, customize what they see, redact or make bug reports private, choose disclosure timeframes, and set your own bounty values.

There’s also the “see something, say something” approach

Vulnerability Disclosure Policy (VDP) is a formalized method for receiving vulnerability submissions from external parties. It provides guidance for accepting help and interacting with the security community. It doesn’t offer bounty rewards for vulnerability reports.

The National Telecommunications and Information Administration (NTIA) published a Coordinated Vulnerability Disclosure Template that addresses best practices for security disclosure. It was developed by experts from industry, government, and security community.

Five key elements of VDP:

1. Promise: A commitment to customers potentially impacted by security vulnerabilities.
2. Scope: Identifies what properties, products, and vulnerability types are covered.
3. Safe Harbor: Assures that reporters of good faith will not be penalized.
4. Process: Clearly defines the process that finders use to report vulnerabilities.
5. Preferences: Expectations for preferences and priorities for how reports will be evaluated.

The VDP practice is defined in ISO standard 29147, and is outlined in the Department of Justice (DoJ) Framework for a Vulnerability Disclosure Program for Online Systems.

The Real Cost of Infamous Bugs

Money is always top of mind in every organization – it can make or break our success. We also understand that we can’t afford to dismiss the significance of cybersecurity because doing so may pose severe consequences.

Bug bounties have hefty price tags

The cool thing about bug bounty programs is that you don’t pay a dime until after the security vulnerability is reported, validated, and determined to be in line with the terms of your program. Nonetheless, competent and reliable ethical hackers don’t come cheap.

Many hackers earn an average of $50,000 a month.v
Google paid $6.5 million in bug-bounty rewards in 2019.vi
Six hackers broke bug bounty records in 2019, each awarded over $1 million by HackerOne.vii

Exploited vulnerabilities have severe consequences

Compromised data cost much more than our bottom line. It’s more than the reputation of our organization. It’s a threat to the people and organizations that we service.

Social Bluebook was hacked, exposing 217,000 influencers’ accountsviii
Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forumix
Estée Lauder Exposes 440M Records, with Email Addresses, Network Infox

If exploits don’t break your bank, regulators might

The sooner we have security and privacy controls in place, the easier it will be to avoid hefty fines from compliance regimes such as GDPR.

• €114 million in fines imposed by European authorities under GDPRxi
• Dixons Carphone fined £500,000 for massive data breach: ‘Systemic failures’ found in the retailer’s management and protection of customer dataxii

Embrace Proven Cybersecurity Strategies

Cybercriminals are aggressively combing the attack surface to exploit our vulnerabilities. It’s imperative that we leverage proven cybersecurity techniques to reduce these vulnerabilities, protect our brand and assets, and ensure our customers and their valuable data are safe.

Here are 5 tips for a proactive security strategy:

1. Implement a Vulnerability Disclosure Policy – today!
2. Tap into the global community of skilled ethical hackers.
3. Contact a trusted advisor to fix bugs. Consider a vCISO service that can help ensure your fixes align with a compliance framework.
4. Leverage an assessment service that is equipped with a battery of different tools that it can use to evaluate your vulnerabilities from an outside perspective.
5. Combine the above techniques to exterminate bugs and protect your attack surface.

Bugs are serious business and we can control them with the right cybersecurity solutions.

If you’d like to learn about Cadre’s security vulnerability assessments and tools, please contact us. We’d love to help protect your attack surface.


[i] https://www.oed.com/view/Entry/24351
[ii] https://www.atlasobscura.com/articles/who-coined-term-bug-thomas-edison
[iii] https://www.globalapptesting.com/blog/the-worlds-first-computer-bug-global-app-testing#:~:text=On%20September%209%2C%201947%2C%20the,by%20computer%20scientist%20Grace%20Hopper.
[iv] https://en.wikipedia.org/wiki/Bug_bounty_program#cite_note-14
[v] https://www.bbc.com/news/technology-43581624
[vi] https://threatpost.com/google-record-high-bug-bounty-payouts/152354/
[vii] https://www.hackerone.com/press-release/six-hackers-break-bug-bounty-record-earning-over-1-million-each-hackerone#:~:text=Back%20to%20Archive-,Six%20Hackers%20Break%20Bug%20Bounty%20Record%2C%20Earning,%241%20Million%20Each%20on%20HackerOne&text=SAN%20FRANCISCO%2D%2D%20August%2029,million%20dollars%20each%20from%20hacking
[viii] https://techcrunch.com/2020/03/27/social-bluebook-hacked/
[ix] https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/
[x] https://threatpost.com/estee-lauder-440m-records-email-network-info/152789/
[xi] https://www.fsmatters.com/EUR114-million-in-fines-under-GDPR
[xii] https://www.theguardian.com/business/2020/jan/09/dixons-carphone-fined-500000-for-massive-data-breach

Topics: Security Awareness, vciso