What is the Bug Bounty Program? How does Ethical Hackers Earning Thousands of Dollars by Reporting Bugs?

When reading about Cybersecurity blogs or news, we all must have come across the term “Bug Bounty”. Bug bounty is nothing but programs conducted by many corporate companies to find the flaws in their systems.

To understand why a bug bounty program is conducted we must first know about who participates in bug bounty programs. Most of the people participating and reporting about bugs are White hat hackers.

White hat hackers are people who find bugs and report them to the companies to prevent these bugs from being exploited by Black hat hackers. Black hat hackers are people who break into computer systems for their own financial gains, personal thrill or some malicious purposes.

When white hackers report these bugs or flaws to companies, they are being rewarded with money which is called a “bounty”. Bug bounty programs were created long ago which dates back to 1983.

Hunter & Ready created the first bug bounty program for theirVersatile Real-Time Executive, a real-time operating system. They awarded a Volkswagen Beetle for anyone who reported a bug. A decade later, Netscape Communications named the program “Bugs Bounty”.

ANuix Reportsaid that nearly 71% of the hackers say that they could find flaws and exploit them in less than 12 hours. Many organizations are aware of these black hat hackers and their skills towards exploitation. Bug bounty programs help organizations to secure from black hat hackers. Organizations seek crowdfunded firms like HackerOne, Bugcrowd, Synack, etc for these bug bounty programs.

How Do Ethical Hackers Make Thousands of Dollars by Reporting bugs?

To know why companies pay ethical hackers, we must know the cyber loss of 2018. A report of 2018, stated that nearly$600.00USD billion dollar worth of lossis faced every year due to cyber-crimes.

These are due to the poor implementation of security protocols in websites and networks. Every company must follow the OWASP standards when building their web application.OWASPstands for Open Web Application Security Protocols.

It consists of a list of top 10 vulnerabilities that has to be secured when implementing a web application. TheVulnerabilities of 2020areas listed below,

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access control
6. Security misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with known vulnerabilities
10.   Insufficient logging and monitoring

Injection

            Injection vulnerability is a kind of flaw in the web apps which allows attackers to inject malicious code into websites and systems.

These vulnerabilities are created because of incorrect input validation. The common type of injections are

1.     SQL injection
2.     LDAP injection
3.     Command injection
4.     XPath injection

Broken Authentication

            This is a critical flaw in a computer application which will let attackers guess default passwords, allows brute-force with a bunch of default passwords, thereby gaining access to the server and taking control of it. Thus, resulting in Data loss, data exposure, or other serious crimes. Attackers usually guess session IDs, default passwords, encryption keys and other security protocols on a client-server application.

Sensitive Data Exposure

            Many websites store sensitive information of customers such as credit card details, tax ID, social security numbers, and other credentials.

If an attacker takes control of a web server containing this much sensitive information, they can exploit these weaknesses and attain financial gain by any means. This is called Sensitive Data Exposure.

XML External Entities

            This is similar to an SQL injection attack. In this vulnerability, an XML entity is exploited due to the poor validation of XML inputs. An XML parser is loaded with malicious input by the attacker which runs without validating and connects it to the required file present on the server. This may lead an attacker to run a DoS, CSRF, SSRF or much more.

Broken Access Control

            Broken Access Control is a type of vulnerability where a user can access some sensitive information that he should not have access to. This flaw arises when authorization programs are not defined properly

Security Misconfiguration

            Security Misconfiguration occurs when the security settings, patches, configurations, and others are set as default or misconfigured. This vulnerability allows an attacker to take complete control of the website and use it for malicious purposes. An attacker can also retrieve sensitive information from the compromised systems.

Cross-site Scripting (XSS)

            This vulnerability is exploited when an attacker inserts JavaScript code into a website and makes the malicious code to execute. There are 3 different types of XSS,

1.     Stored XSS
2.     Reflected XSS
3.     DOM based XSS

Insecure Deserialization

            All the websites convert an object into a file or data store which is called Serialization and vice versa is called as Deserialization.

Insecure Deserialization occurs when the attacker gives malicious input to an object which will then be executed by the server.

This attack can lead to Denial of Service or arbitrary code execution. The most commonly used type is the conversion of data into structured text. Very often used structured text formats are XML, JSON or YAML.

Using Components with Known Vulnerabilities

            This Vulnerability is used by almost all hackers. Developing a web application involves using Open-Source libraries and components.

Most developers don’t see the vulnerability that has been existent in their components. Hackers use automated scripts that are freely available and use it to find the vulnerability existing in the web application.

This makes the job easier for threat actors. This can lead to the compromising of the system easier than to imagine.

Insufficient Logging and Monitoring

            Every Enterprise uses tools to log and monitor the happenings on their network. However, if they are not able to track down and monitor malicious activities on their network, they could face some serious trouble thereafter. Sometimes the tools are not updated to track every single log.

An attacker may take advantage of these vulnerabilities and compromise the network easily.

The above-mentioned vulnerabilities are listed in the top 10 vulnerabilities of OWASP. Ethical hackers find all these vulnerabilities in every organization and report them to their respective developers.

Where there are Black hat hackers, who are trying to compromise the system with their skills, there are also white hat hackers who are helping to secure systems. Usually, they are awarded bounties based on the severity of the vulnerability they disclose.

However, Smartphones have also become inevitable. Vulnerabilities that are present in Android are directly reported to Google.

Android Vulnerabilities are paid higher than in web applications since one single vulnerability can affect Millions of Android devices. Many organizations including Facebook, Twitter, Google, and other tech giants concentrate on securing android more.

According to HackerOne Report, a sum of $40 Million was paid as bug bounties in 2019 compared to $11 Million in 2018. Google’s bug bounty paid out $21.00USD Million during the first quarter of this year compared to $6.5 Million last year. Just Like Google, Facebook also paid $2.20USD Million in Bug bounty 2019. The highest single bounty of $100,000.00USD was paid to Bhavuk Jain, an Indian Security Researcher from Apple. More than 10,000 companies are sponsoring these crowdfunded Bug bounty programs.

The amount spent on Bug bounty programs is massively increasing every year. This may also attract threat actors to enhance their skills and penetrate into vulnerable networks and systems.

Helping the organizations to secure from attacks are not just for money, a true ethical hacker does it just to make the world more secure.