Bounty Bug Programs
Written by Karolis Liucveikis on (updated)
It is a cliché to say it, but you have to think like a criminal in order to defeat a criminal.
Some businesses and organization, from Samsung, to Google, to even the US Military, have come to the rational conclusion that if that you cannot defeat your enemies outright you can buy them off. So that is what they do.
When a hacker, hobbyist, or security researcher finds a security weakness they can either tell the software or hardware producer, out of the goodness of their heart or in exchange for some recognition, or they can keep this secret to themselves and seek to profit from that.
There are several ways to profit. One is to turn to the criminal element and use it for crime. The other is to sell the exploit to companies who gather up and resell those to crooks, governments, and corporations alike. Another is to turn to the bounty bug programs run by the software companies whose bugs they are trying to track down and repair.
Zerodium and other Private Brokers
One bug collector is Zerodium. It is unclear whether Zerodium, who sells flaws to governments and corporations, works for the good guys or the bad guys. Their standing offer is $1 million to anyone who can crack the iPhone. Their motto is “The premium acquisition program for zero-day exploits and advanced cybersecurity research."
Other companies seek to profit from this in less audacious manners. HackerOne manages the Pentagon, Uber, Yahoo, and DropBox bounty programs. BugCrowd in San Francisco does that too.
Uber
Uber takes the safety of its riders seriously, particularly females. The company is attacked on all side by drivers, who want union benefits, and foreign countries, who want to ban them outright, to protect their domestic cabbies. So it’s understandable that their cell phone apps and back end systems are under constant attack too. So they have a bounty program. It pays up to $10,000.
Apple, Rotten to the Core
Apple has long sold their devices at two to three times the prices of everyone else and has kept their proprietary software away from the prying eyes of opensource developers. They have always been different, so their approach to bounty programs is different too: they do not have a bounty program.
Apple says they do their own security research, so do not need the help of outsiders. But as was shown just this month they are not perfect people. The FBI paid a bounty, and a mighty one at that, of more $1.3 million to a hacking firm for the secret of how to unlock the iPhone.
Microsoft
Windows is of course by far the operating system with the largest number of security flaws. That is because it is installed on the vast majority of home and office user PC. So there are more hackers devoted to hacking that larger target. Of course, PC sales are down, Intel just laid off 12,000 people, and Android has far surpassed Windows in installs. But Windows will be with us for some time yet, like the common cold. So Microsoft also has a bounty bug program.
Hack the Pentagon
While ordinary people and businesses engage in cyberwar, the US Military is engaged in actual war. They use both uniformed soldiers and contract killers too. Mercenary hackers who want to join their ranks can sign up at their registration page.
Android Security Rewards
Below we report that Google offers bounty rewards for not just their own code but open source software too, including the Linux kernel, which is what powers Android.
Compared to other reward programs, the Android Security Rewards payments seem quite low: $500, $1,000, and $2,000 for moderate, high, and critical flaws. Developers can earn four times the payout by both explaining both the weakness and coding its solution.
Google Application Security Patch Reward Program
Google has told the media and announced on their own web site that they have paid millions of dollars to people who have found weaknesses in both their own software and open source software.
That makes sense. If they help improve software their customers’ use, it helps their customers and thus Google too, regardless of who wrote that. And as an advertising monopoly, Google has money to splurge on things like this.
Google’s idea is to pay developers for “proactive security improvements to select open-source projects.”
These include a host of widely-used programs that power much of the internet including Apache, OpenVPN, AngularJS, Node, and even Linux. (Their offer to assist Linux might fall on deaf ears. We previously explained how difficult it is to get changes made to the Linux kernel because those developers are a close knit group whose autocratic, somewhat maniacal leader, Linus Torvalds, has said that security related bugs are to be treated no different than any other type of bug.)
The goal here is defense and not offense. They are looking for security improvements and not outright weaknesses, although once you find a weakness you should be able to find an exploit, if you are clever enough.
The areas they seek to harden are those subtle nuances that hackers exploit, mainly with regards to memory and overflowing that. They say the are looking for:
Any patch that has a demonstrable, significant, and proactive impact on the security of one of the in-scope projects will be considered for a reward. Examples include:
- Improvements to privilege separation or sandboxing
- Memory allocator hardening
- Cleanups of integer arithmetics
- Systematic fixes for various types of race conditions
- Elimination of error-prone design patterns or library calls
- Contextual auto escaping in templates
- Refactorings that make it easier to reason about the security properties of the code.
The payments here range from $500 to $10,000.
Chrome and Chromebooks
Google pays up to $100,000 to those who show they can hack their Chromebooks.
The bounty program for the Chromium open source browser is called the Vulnerability Rewards Program. Google Chrome is build from that base software.
Samsung
Finally, Software companies are not the only ones participating in these programs. Gaming boards, TVs, and all kinds of electronics are subject to hacking, sometimes using a soldering iron rather than a virus. Samsung pays up to $3,000 rewards for bugs found in their devices.
▼ Show Discussion