Let's talk a bit about bug bounties? Maybe get paid 10 Million dollars?
Discord: https://discord.gg/mBPbWcVRYR Twitter: https://twitter.com/shell_pod Instagram: https://www.instagram.com/shell_pod/ Website: https://whattheshellpod.com
This winter, I think I'm going to put a sign up at the end of my driveway. If you find any ice that I haven't gotten rid of. I'll pay you to tell me where it is. But there are some rules. You can only do the left side of the driveway because people might be coming and going from the right side and we don't want to bug them. You can't make a lot of noise. And you're not allowed to dig anything up or move things around too heavily. I know they're kind of crazy rules, but if you follow them and tell me where I missed a spot? I'll make it worth your time depending on how big of a patch of ice you find. I'm John Kordis, and this week I'm posting a bounty for ice removal, after all it's pretty dangerous to leave out there. I want you to think about this concept a bit because I'm going to explain to you What the Shell a bug bounty is, how people make a living off of it, and talk to you about some of the biggest bug bounties that have ever been paid out.
Okay, so you're probably thinking to yourself. John what was that intro. What are you talking about? Some of you might have a bit of an idea of what bug bounty is but I'm going to take a minute here to explain it before we get started into some interesting bits about them. No, we're not hunting insects. Think of it as a way to have constant security testing being done without involving your own internal resources until it gets to fixing the problem.
The idea is that websites, applications, and companies can post out the quote "Bounties" that will give you an idea of what's being looked for and what you can do. The end result is that the ethical hacking community at large will be looking at your stuff, trying to find ways to exploit it, but doing so in a controlled environment. You, the company, can then take the information in what they submit and apply security changes to make sure your environment is secure. This is gonna do a few things. First, until someone finds a vulnerability or exploit you're not paying anything out. I don't get paid to look at the app, just if I find a problem in it. So, say you've got dozens of people looking at an application and they haven't found anything wrong in one or two days. That's hundreds of hours of testing being done against you where potentially nothing has been found, in this case maybe validating that you're at least in a decent position.
The X factor there is that the quality of the individual doing the testing isn't always known. Second, the payout that might be given is fluid. Most industries will have lower payout for stuff that might just cause little problems, but payout much higher for things that result in complete ownership of the tool or your system. It's a sliding scale of pay depending on how serious it is. So now picture this. One major problem is found that someone spent quite a bit of time researching and they get a payout of 3,000 dollars. Maybe they spent 2 or 3 weeks on this one. The company might be happy to pay that out as opposed to paying an internal engineer full pay and benefits for the same amount of time. So overall, again they're pretty net positive. For this example, 3,000 dollars was just a number I gave. There's a wide range of payouts but we'll get to that a little later. The cart's being put a bit before the horse on this one.
Because before you go into any kind of bounty hunting though, you've got to know the rules. Often times the application owners don't want you testing against the actual site. Like if I'm trying to break something like "shopify" and I succeed, obviously they don't want me to knock over the website and break everyones store, or even worse have access to all their shop data and customer information. To give you a safe environment to do this, companies will often set up separate areas for you to do this testing that isn't used for live app running. These might have separate domain names so I would host is on something like test.whattheshellpod.com instead of whattheshellpod.com. No, that's not a real place.
So I've set the place for you to do it. Now I'm going to lay down some rules. I'll start by listing out what you can't do. You can't phish my employees because that's not a code problem. I don't want you doing a denial of service attack, don't just flood me with requests because anyone can do that. I don't want you using commercial vulnerability scanners against the site. And I don't want you to do an attack against password strength, because again that's not what I'm looking for here.
So now you have the place, and you have the rules of what not to do. Another bit of things I'll add in are some rules for how to report this. You'll send it the report through a certain application maybe. You won't publish the info publically. You're only testing YOUR account, not anyone else's. You can't be an active employee in the company you're testing because maybe you'd just purposely code in a some vulns. Putting all this together we get what often times is called a scope.
And as I'm typing this out I did have a thought that maybe I'll go back to before publishing this episode. I wonder if there has been a fraud attempt where an internal developer purposely codes in vulnerabilities that payout an okay amount so a friend of theirs can claim it. I'll have to look into that.
Anyways, I think you've got the idea. I'm basically offloading extra security testing to the world, but they just need to follow my guidelines before they get paid. And speaking of pay, let me tell you what some of the ranges of bigger sites can be. I'm looking at a few bug bounty programs right now and can tell you that in US Dollars:
- Robinhood pays up to $37,000
- OpenSea, an NFT platform, pays between $25 and $3M
- Shopify can go between $500 and $100K
- and Vimeo can go from $100 to $6K.
So there's a wide gap here and you can kind of see how it's prioritized based on the potential fiscal impact or the service. Like Vimeo is important but might not suffer as much compared to Shopify or OpenSea if they got fully compromised. So the picture is starting to come together. You're going to get paid based around the kind of vulnerability you find, the kind damage it can do, how easy it is to do, it all culminates in either a nice little paycheck or nothing at all.
But now that we've got the what out of the way. Let's put a pin in what we're talking about and talk about how this came to be. Who even had this idea?
The easy answer is criminals. As long as exploits have been developed there have been people willing to buy. For a long time it was mainly a thing in the black hat community where a hacker could buy an exploit kit or something that might not be known to the public and use it to either cause damage or make even more money.
So I want you to think about how long that could have been going on and ask yourself when was the first bug bounty put out. I'm going to talk about the first two high profile ones. What year do you think it was.
Hell, let's do this. I'll even sweeten the deal. In the description of the episode I've got my twitter link and the discord link. Pick one. In the episode discussion on discord or just tweeting me @shell_pod send what year you think it was for either of the first two bug bounties. I'll toss all the names of people that get it right into a list and pick someone to get a free sticker pack. Pause the episode and do it right now if you want to be ethical. Keep listening and do it later if you want to be unethical.
Alright, you done? Great. Because now I'm gonna take you all the way back to 1983. Yep, 40 years ago. Because that's when Hunter and Ready launched what has been pretty well agreed to be bug bounty. Although it wasn't really called a "bug bounty".
What did they even do? What did they pay? Well honestly it was a pretty insane deal and a well marketed strategy. The ad read "Get a bug if you find a bug".
You see, hunter and ready designed the real time operating system that was used in the Volkswagen beetle. You know, a buggie?
They were putting out a bounty for finding a bug in this system! In fact, let me just read some parts of the ad so you can see what they put in as the "scope". Side note I've got this picture posted of the ad on the website at whattheshellpod.com
But here we go, in the ad they said
"Show us a bug in our VRTX real time operating system and we'll return the favor. With a bug of your own to show off in your driveway. There's a catch though, since VERTX is the only microprocessor operating system completely sealed in silicon, finding a bug won't be easy. "
"Describe your applicationand the microprocessors you're using. We'll send you a vertx evaluation package including timings for system calls and interrupts. And when you order a certx system we'll include the instruction for reporting errors! Don't feel bad if in a year there isn't a bug in your driveway, there isn't one in your operating system either!"
Ultimately, I wasn't able to find any record of someone claiming the prize but this is such a cool story.
That's still a bit of a far cry from what we may have going on today so let's move it forward to the second program and the one that coined the term "Bug Bounty" a bit more officially. We're going to 1995, back in the days when the graphically rendered internet we all know and love was still in its infancy. These days you had ISPs where you'd log in to your own browser and connect over dial up. Companies like AOL, or in this case Netscape. Netscape had it's internet browser called "Netscape Navigator" and back In 1995 their VP of Marketing explained why they were putting out a bug bounty for the 2.0 version of the tool. He said quote:
“By rewarding users for quickly identifying and reporting bugs back to us, this program will encourage an extensive, open review of Netscape Navigator 2.0 and will help us to continue to create products of the highest quality.”
Now it should be noted that this was only in the beta of the program, so it wasn't a permanent fixture, but it did well and they ended up rewarding some cash prizes out at the close of the event. Unfortunately, this trend was tough to catch on and most other software developers at the time kind of just shook their head at the prospect of doing something like this.
That wouldn't last too long in the grand scheme of things because in the early 2,000s as things really started heating up with websites, forums, and general acceptance that the internet was a mainstream part of day to day life; bug bounty programs and both the want and need for them, were starting to waterfall out into the world.
Here are some of the biggest platforms that would start up early with bug bounties.
Idefense, a security intelligence firm, launched a rewards program in 2002.
In 2004, Mozilla Firefox started a program that offered up to 500 dollars if they could identify critical level vulnerabilities.
In 2007, there was the first ever Pwn2Own contest. This contest was done by regular researchers that were frustrated that apple had NO disclosure informaton help or policy.
2010 saw google enter the game, and 2011 saw facebook. From there companies like Github, Etsy, and major online retail started to get in on it as well. Each offering their own incentives for finding bugs in their tool.
Now, what you may be thinking to yourself here is that wow, okay so there are more and more out there. How do I find them? Like sure I could go for the big names but so will everyone else. A need started to pop up, it was getting to the point where there were a lot of bounties and finding the right one could take some time. So what we had was the rise of intermediaries, sites that you submit the bounty through that aggregate and work with the vendors on your behalf. Let's start with one of the bigger and earlier ones, called the zero day initiative.
I've actually referenced the zero day initiative because they've found some of the exploits I've talked about on the show before. They began back in 2005, and this is a small snippit of their mission:
"The Zero Day Initiative (ZDI) was created to encourage the reporting of 0-day vulnerabilities privately to the affected vendors by financially rewarding researchers. At the time, there was a perception by some in the information security industry that those who find vulnerabilities are malicious hackers looking to do harm. Some still feel that way. While skilled, malicious attackers do exist, they remain a small minority of the total number of people who actually discover new flaws in software."
The way their program worked is that researchers that were interested in participating provide information on previously unpatched vulnerabilities. ZDI then takes that and the information they can get to validate the identity of the attack and try to replicate and confirm the issue. Then, they'll offer the researcher money for the details and rights to that vulnerability, acting almost like a fence or middle man.
Zero day initiative is still insanely popular as a platform for reporting. Every month they post a roundup of the Microsoft updates and they'll let you know when big security holes are found and pushed through their program. It's a great read.
When they reward you their payout is based on some simple criteria:
Is the affected product widely deployed? That one is pretty self explanatory, something that's on Windows 10 Home is more valuable than something that's on a random linux distro that's got less than 20,000 installs.
Can exploiting the flaw lead to a server or client compromise? At what privilege level? Are you an admin or just a regular user.
Is the flaw exposed in default configurations/installations? So, in this case is it going to be affecting many many systems or just unique one offs.
Are the affected products high value (e.g. databases, e-commerce servers, DNS, routers, firewalls)?
Does the vulnerability require a social engineering component? (e.g. clicking a link, visiting a site, connecting to a server, etc.) Remember, a lot of companies don't consider this a part of bug bounties so social engineering typically doesn't do much for you.
This all adds up to their secret sauce for payouts, which can technically be enhanced. They have bonuses for referrals and for continued reporting, things that will keep you with them, because as I'm about to show you there is competition.
In the early 2010s two other platforms were created that started a bit of an arms race in the field. One was called Bug Crowd, another Hacker One.
Bug Crowd started in 2011 in Sydney Australia, and HackerOne started in 2012 with it's headquarters in San Francisco. These companies are increasing the availibility for people to participate in bounty programs by making them accessible and really bringing in the different niches of bounty hunting. They operate by reaching out to these major companies, getting them onboarded with their programs and then being the middlemen for the bounty program that's custom tailored to their exact needs. HackerOne serves companies like Uber, Spotify, Starbucks, Lufthansa, and more. Bug Crowd has just as impressive of a list including companies like tiwlio, atlassian, and hp.
Now, let's talk what I'm sure some of you have been thinking about, payouts. Let's talk the big ones.
In 2017, Oath, a media and tech company, under which Yahoo, AOL, Verizon Digital Media Services, TechCrunch and many more brands fall participated in an event held by Hacker-One called H1-415, the internal security team partnered with hackers form over 11 different countries.
The goal, find and claim as many bounties as possible in a day. All in all 400,000 dollars was paid out that day in just 9 hours.
Back in 2012 Microsoft paid 200,000 dollars to one group of researchers as a part of it's Blue Hat competition, aimed at security mitigation.
And here are some of the top payouts from 2020, these ones being individual payouts:
Verizon's top bounty? 70,000 dollars. Paypal, 30,000. Uber had a 50,000 dollar payout. Those are all decent, in fact for many people they are a years wage or at least a chunk of one. But these kind of high profile payouts aren't always guaranteed, these are just the smartest and the best going after the biggest hitting payouts they can try for. There are some whale level payouts though, some which have been claimed and some that are still up in the air.
Apple, who as I mentioned came under flak for not participating, recently paid out a student 100,500 dollars for a webcam bug they had found. The bug could have impacted millions of users and gained access to their own account informaton, in addition to the webcam themselves.
But that's not to say there's not room for more. If you want to get the best of the best in terms of payout from Apple, they offer a minimum 100,000 and maximum 1,000,000 dollar payout. This category is reserved for the worst of the worst kind of vulnerability. A zero click, admin level take over of a device. Essentially, this is when a hacker needs no interaction from you at all, you just need to receive whatever the payload is. In some cases it can be as simple as a text.
The reason why they'd pay so much is because frankly, nation states like Russia, China, or really anyone, would probably pay more under the table for this. It's only happened a handful of times where these vulnerabilities were found but almost always it's tied back to major major powers. Apple's 1,000,000 dollar payout also has potential bonuses of 50% more for beta software vulns and 100% more for bypassing the lockdown mode. That means there's a maximum 2,000,000 dollar payout if you zero click bypass a locked down device.
The record for biggest payout that I was able to find is currently held after a hacker found a flaw in the crypto service Wormhole, a contract on the Ethereum. Wormhole is a protocol that lets blockchains like Etherian, Terra, and Binance interact with eachother and when you have these kinds of interactions, especially with money, it can be a major target. Imagine just taking all the available assets from a contract and moving it where ever you want to?
The vulnerability that was found has proof of concept code on github to this day but the platform is no longer vulnerable to it. The long and short of it was that with this proof of concept a hacker could have held everything in the contract, that's all the available assets and potential assets value, for ransom. Which, according to the github was close to 1.8 billion dollars at the time of the submission of the report.
How much did that hacker get paid out, he made off with a nice cushy 10,000,000 dollars. That's right 10 mil. That's a once in a lifetime bounty, but I expect as technical teams get more and more creative and as more people take this on for side hustles or their full time job, we'll see more of these kinds of bounties. Just posting the stuff like that 1-2 mil apple bounty begets competition for people to try and break it. But the US DoD honestly said it best. Because back in 2016 the Obama Administration put out a challenge to hack the pentagon for a month. 250 hackers went at it, 138 vulnerabilities were found, and they paid out 150k dollars. Their response to people saying that's a high amount? Well it was 850,000 dollars cheaper than a full security audit.
At the end of the day, one of the biggest problem that's going to face this industry is that crime pays. The big payouts are nice but might be pennies on the dollar compared to what underground markets can offer. The trade off is obviously that you're building tools or selling exploits that if led back to you could land you in jail. For some people in this world that's worth the risk but for many, the majority, thankfully it's not. There are some that will do this for fun, some for a job, some might view it as a side hustle and some might try to make it a full fledged career.
I think though, if you look at the people that make a career out of this, they don't necessarily go after those whale bounties as much. That's the last thing I want to talk about because a few years back the first person to cross 1 million in total earnings came out of hacker one. It was a 19 year old Argentinian named Santiago Lopez, that goes by the handle Mr Hack. Lopez had, at the time, found over 1670 vulnerabilities and crossed the 1 million dollar mark. That's, on average, 600 dollars per payout. That's not to say he didn't have high value ones but it does at least show the merit in finding a large amount of small vulnerabilities which can add up to a nice pay day. He was able to find vulnerabilities in sites like uber, yahoo, paypal, air bnb. The list goes on. As of today, he's got almost 2400 vulnerabilities found. And I'm looking at a lot of his payouts on hackerone and it's just like I said. I see 70 dollar payouts, 30 dollar payouts, 250 dollars, 1500, 2500, 125. It's a wide net that he's casting and he's clearly raking it in a bit.
So what do you think? Are you the next Mr Hack? I think you could be honestly. There are a ton of programs out there that offer bug bounty trainings. One of my favorites? Nahamsec. Nahamsec is a streamer and content creator as well as an educator and great mind in the field. He's got courses and lessons that can take you from wondering how to find a bug to claiming your first reward. That's not an ad, that's honestly just a suggestion for you to go out and look at because I love watching his videos.
As for me? Maybe I'll give it a go this year at some point too? I doubt I'm as good as Santiago but hey, couldn't hurt right? I'm John Kordis and thanks for listening to me explain what the shell bug bounties are and why they are pretty awesome.
That's this weeks episode, thanks for listening.
Before you go, I have some stuff you might be interested in. First, for anyone that's new to the show or might now know about this, you can join us in the discord to talk about the show and hang out! Now that we've started back up I'm going to try and be a bit more active there so you can reach out, talk to me or anyone else online and offer up any suggestions you might have for the show because I'd love to hear them. You can find the link to join on my website whattheshellpod.com or in the description below. On that site you'll also find the transcript of the episode and should you be interested my other socials like instagram and twitter both of which are @shell_pod.
And then I do want to ask that if you liked this episode maybe leave a review or rating on your platform of choice. It goes a little bit of a ways in terms of getting me up there in the charts so other people can find the show. If that's not your thing maybe just recommend your favorite episode to someone you think might like it, word of mouth is honestly my favorite way the show has spread. Alright, I think I'm good for now, so I'll see you all in two weeks for the next episode. I'm gonna go see if anyone found any ice in my driveway.