Bug Bounty : What is Mean By Bug Bounty And How to It Work

A Bug Bounty is a program offered by companies or organization where they invite ethical hackers, security researchers, and developers to find and report security vulnerabilities or bugs in their software or systems. In exchange for finding and reporting these issues, participants can receive rewards, which can range from monetary payments to recognition or other incentives.

Bug bounty hunters possess a wide range of skills that they use to test applications of different vendors and expose security loopholes in them. 

Then they produce vulnerability reports and send them to the company that owns the program to fix those flaws quickly. If the report is accepted by the company, the reporter gets paid. There are a few hackers who

earn thousands of dollars in a single year by just hunting for vulnerabilities in programs.

The bug bounty program, also known as the vulnerability rewards program (VRP), is a crowd-sourced mechanism that allows companies to pay hackers individually for their work in identifying vulnerabilities in their software. The bug bounty program can be

incorporated into an organization procedures to facilitate its security audits and vulnerability assessments so that it complements the overall information security strategy.

Nowadays, there are a number of software and application vendors that have formed their own bug bounty programs, and they reward hackers who find vulnerabilities in their programs.

In this chapter, we will cover the following topics:

• Bug bounty hunting platforms
• Types of bug bounty programs
• Bug bounty hunter statistics
• Bug bounty hunting methodology
• How to become a bug bounty hunter
• Rules of bug bounty hunting

Bug bounty hunting platforms

A few years ago, if someone found a vulnerability in a website, it was not easy to find the right method to contact the web application owners and then too after contacting them it was not guaranteed that they would respond in time or even at all. Then there was also the factor of the web application owners threatening to sue the reporter. All of these problems were solved by vulnerability co-ordination platforms or bug bounty platforms. A bug bounty platform is a platform that manages programs for different companies. The

management includes:

• Reports
• Communication
• Reward payments

There are a number of different bug bounty platforms being used by companies nowadays. The top six platforms are explained in the following sections.

HackerOne

HackerOne is a vulnerability collaboration and bug bounty hunting platform that connects companies with hackers. It was one of the first start-ups to commercialize and utilize crowd-sourced security and hackers as a part of its business model, and is the biggest cybersecurity firm of its kind.

Bugcrowd

Bugcrowd Inc. is a company that develops a coordination platform that connects businesses

with researchers so as to test their applications. It offers testing solutions for web, mobile, source code, and client-side applications.

Cobalt

Cobalt's Penetration Testing as a Service (PTaaS) platform converts broken pentest models

into a data-driven vulnerability co-ordination engine. Cobalt's crowdsourced SaaS platform delivers results that help agile teams to pinpoint, track, and remediate vulnerabilities.

Synack

Synack is an American technology company based in Redwood City, California. Synack's business includes a vulnerability intelligence platform that automates the discovery of

exploitable vulnerabilities for reconnaissance and turns them over to the company's freelance hackers to create vulnerability reports for clients.

Types of bug bounty program

Bug bounty programs come in two different types based on their participation perspectives. This division is based on the bug bounty hunter's statistics and their level of indulgence overall on a platform.

 There are two kinds of bug bounty program: public programs and private programs.

Public programs

A public bug bounty program is one that is open to anyone who wants to participate. This program may prohibit some researchers from participating based on the researcher's level and track record, but in general, anyone can participate in a public bounty program and

this includes the scope, the rules of engagement, as well as the bounty guidelines. 

A public program is accessible by all researchers on the platform, and all bug bounty programs

outside of the platforms are also considered bug bounty programs.

Private programs.

A private bug bounty program is one that is an invite-only program for selected researchers. This is a program that allows only a few researchers to participate and the researchers are invited based on their skill level and statistics. Private programs only select

those researchers who are skilled in testing the kinds of applications that they have. 

The programs tend to go public after a certain amount of time but some of them may never go public at all. These programs provide access only to those researchers that have a strong track record of reporting good vulnerabilities, so to be invited to good programs, it is

required to have a strong and positive record.

There are a few differences between a public and private program. Conventionally, programs tend to start as private and over time evolve into the public. This is not always true but, mostly, businesses start a private bug bounty program and invite a group of researchers that test their apps before the program goes public to the community.

Companies usually consider a few factors before they start a public program. There has to

be a defined testing timeline and it is advised that companies initially work with researchers who specialise in that particular area to identify the flaws and vulnerabilities. Most of the time, the companies do not open their programs to the public and limit the

scope of testing as well so as to allow researchers to test these applications specifically in the sections that are critical. This reduces the number of low-severity vulnerabilities in out-of-scope applications. Many organisations use this technique to verify their security

posture. Many researchers hunt for bugs in applications mainly for financial gain, so it is crucial that the organisation outlines their payout structure within the program's scope.

There are a few questions before anyone would want to start to participate in a bug bounty program; the most important one is What is the end goal of the program going public versus keeping it private?

Bug bounty hunter statistics

A bug bounty hunter's profile contains substantial information about the track record that

helps organisations identify the skill level and skill set of the user. The bug bounty hunter stats include a number of pointers in the profile that indicate the level of the researcher.

Different pointers indicate different levels on different platforms. But generally you will see the following pointers and indicators based on which you can judge a researcher's potential.

Number of vulnerabilities 

The first thing you can observe in a researcher's profile is how many vulnerabilities the researcher has reported in his bug bounty hunting career. This indicated how much the researcher is active on the platform and how many vulnerabilities he has reported to date.

A high number of reported vulnerabilities does not usually mean that the researcher has a positive track record and is relative to different factors. That is, if the researcher has 1,000 vulnerabilities submitted over a period of 1 year, the researcher is quite active.

Number of halls of fame

This is the number of programs to which the researcher has reported positive vulnerabilities to. The number of halls of fame is the number of programs the researcher

participated in and had valid reports in those programs. A high number of programs means the level of participation of the researcher is active. That is, if the researcher has 150 halls of fame out of a total of 170 programs, the researcher is successful.

Reputation points

This is a relatively new indicator and it differs from platform to platform. Reputation points are points awarded for valid reports. It is a combination of the severity of the report, the bounty awarded to the report, and the bonus bounty of the report. That is, if the researcher has 8,000 reputation points over time, then he is above average.

Signal

A signal is an aggregate representation of report validity. It is basically a point-based system that represents how many invalid reports the researcher has submitted. A signal is calculated out of 10.

Impact

Impact is a representation of the average bounty awarded per report. It is an aggregate of the total bounty that was awarded for every report that was filed. Accuracy This is a percent-based system that indicates the number of accepted reports divided by the number of total reports. This tells the program owners how much success rate the researcher in reporting vulnerabilities. If researcher A has 91% accuracy rate, he submits reports that are mostly valid.