Blog post #2: Bug Bounties – cyber hunting for hackers

We, the gamers, love to earn achievements on Xbox or trophies on PlayStation.

We can spend many hours earning a particular achievement and chasing that sense of satisfaction. We do it because we want to prove our skillset and we obviously love to impress others. Best Example? The Mile High Club achievement in Call of Duty: Modern Warfare which took me several days to achieve. What was the achievement all about? Well, I had one minute to locate a VIP on a plane and kill all the terrorists on the way. Sounds easy? Not really.

Do hackers have such “cyber achievements”? Yes, they do. They are commonly known as bug bounty and offer serious money for impressive “achievements”.

What is a bug bounty program?

A bug bounty program is a deal offered by many vendors like Microsoft, Apple, Google, Mozilla etc. Organizations and software developers by which individuals can receive recognition and real financial compensation for reporting severe vulnerabilities. Bug bounty programs allow developers to discover and resolve security bugs before the general public is aware of them. This is basically done to prevent bad guys from taking advantage of those vulnerabilities.

Why are these programs popular? There are several reasons, including but not limited to:

  • Companies only pay for results
  • Virtually anyone can join most of them
  • Hundreds of people can work on one piece of the application, which facilitates diversity and scrutiny by researchers with a multitude of backgrounds
  • While these initiatives cannot substitute traditional pentesting, they are a great addiction to companies’ security program

Generally, vulnerabilities are classified by risk Informational, Low, Medium, High, and Critical. The more severe the vulnerability, the more the hacker will get paid for it. 

What are potential payouts? 

Very often vulnerability acquisition programs provide recognition and swags. In some cases, real cash is paid out to incentivize researchers 

Prices can start from as little as $100 for a “low” severity vulnerability and reach up to several hundred thousand dollars for a single critical vulnerability. It all depends on the vendor and severity of a vulnerability. 

There are quite a few interesting stories related to bug bounty programs where people made thousands of dollars for a single vulnerability. Here are some interesting facts:

Facebook bug bounty program – We all have heard stories of privacy incidents related to Facebook data leak.It’s not surprising that Facebook has been investing substantial resources for discovering and mitigating loopholes and exploits in its code. Since 2011, this program has paid out $7.5 million.. Facebook’s record of the highest single payout went to Andrew Leonov, a Russian security researcher who was awarded $40,000 for discovering a security flaw in a third-party security software that could seriously affect Facebook security. Details have not been disclosed.

Microsoft bug bounty program – Microsoft has paid out more than $2 million.The largest bounty payout was made to a single person that we know of is Vasilis Pappas. He received $200,000 in 2012 when he was a Columbia University PhD student. Not so bad for a student.

Google bug bounty program – Google launched its program in 2010. Hackers have received more than $15 million since then with $6.5. million awarded in 2019 only. The largest single payout last year was a bounty of $41,000 to an unspecified researcher. Of the bounties that are public, 19-year-old Ezequiel Pereira from Uruguay received $36,000 for discovering a Remote Code Execution bug in Google’s Cloud Platform console.

As you can see, some payouts are higher than the average annual salary in many countries of the world, which makes these programs very tempting for many. Unfortunately, only a small fraction of people have the skillset and dedication to find such bugs and can boast of their earnings from these programs. However, the stories of the largest payouts are a thrill for everyone, not just hackers.

Author: Cobble Games

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: