Bug bounty programs provide a successful way for organizations to focus on their information security. Through these programs, researchers are able to routinely look for security flaws in their servers or applications. But could current laws put researchers and organizations in a legal “grey area?” Does enacting a bug bounty program replace a professional penetration test?
Bounty programs provide a benefit for both the organization and the researcher: the organization is made aware of flaws, and the researcher receives public recognition and, in many cases, a financial reward. The public recognition is important to many researchers because these bounties are typically added to a researcher’s resume to acquire further contracts. While these programs can benefit both, it’s important for organizations to not rely on these programs alone. A bug bounty program will expose flaws in public facing code, primarily on websites and applications. However, this does not replace the need for professional security testing, which will also include internal systems and networks.
How does a bug bounty program work?
When an organization implements a bug bounty program, they will usually have an information page set up for researchers to look at. This page lays out the scope of the program, meaning which servers and applications are allowed to be tested, which servers are off limits, and the types of reports they will take. Many organizations prohibit the use of automated scanning tools that generate a large amount of traffic on their servers. Remember that bug bounty programs are not the same as a penetration test. They’re looking for exploitable security flaws but are not expecting a full-scale attack on their systems and servers.
Once a vulnerability or flaw is discovered, the researcher submits a comprehensive vulnerability assessment to the organization. These reports contain step-by-step instructions for how to reproduce the flaw and recommendations for how to patch the issue. If the report is accepted by the organization, the researcher will usually receive public acknowledgement for their work and/or a bounty payout.
Kevin Finisterre and DJI
In 2017, security researcher Kevin Finisterre found himself in a potentially devastating legal situation after submitting a bug bounty report to DJI, known for their Phantom line of quadcopters. Shortly after DJI announced their bug bounty program, Finisterre found private keys for DJI’s SSL certificate publicly available in source code released to GitHub by the company. This code allowed him to see personal data of DJI users, including photos and flight logs. Some of this information came from users with government domains.
Finisterre quickly checked with DJI to see if the servers affected were in the scope of the bug bounty program and was informed that they were. After this confirmation from the company, he began writing the disclosure report to send to them. The report was accepted by DJI, and he was offered a $30,000 bounty, the highest tier the company offered at the time.
Then it all changed
Before he could accept the bounty, DJI sent him a contract. The contract stated that Finisterre was not allowed to discuss any details of research he had done, nor could he mention that he had done any security research for DJI at all. It was clear that this type of contract was designed to silence researchers, which prevents them from using such a contract on a resume for further contracts.
While NDA’s are not unheard of in the research industry, denying any involvement at all is almost unheard of. The most disturbing part of the contract was that DJI threatened Finisterre with legal action under the Computer Fraud and Abuse Act (CFAA) if he did not agree to the terms of the contract. In the end, they let him walk away from the situation by making him agree to delete all data and research notes and walk away from the $30,000 bounty offered to him.
Finisterre’s own account of the situation can be viewed in his write-up, Why I Walked Away From $30,000 of DJI Bounty Money(PDF).
Computer Fraud and Abuse Act (CFAA)
The way the CFAA is currently written, it criminalizes unauthorized access without specific allowances for particular research activities. Because the act does not clearly define “unauthorized access,” researchers could find themselves facing stiff penalties, including jail time, if charges are brought under this act.
These issues have led to several government hearings, the most notable of which was a 2016 Senate panel focusing on bug bounty programs. In this panel, the popular ride-sharing company Uber was drilled with questions regarding their bug bounty programs. In one case, panel members referred to this action as “paying ransom to hackers for stolen data.”
Marten Mickos, CEO of the popular bug bounty platform HackerOne, urged for a reform to the CFAA. He stated that “individuals that act in good faith to identify and report potential vulnerabilities should not be legally exposed.” He went on to urge senators to remove the stiff penalties in place that could affect white-hat hackers and vulnerability research.
In 2017, Leonard Bailey, senior counsel for the Department of Justice Cybersecurity Unit, addressed steps the department was taking to reduce the risk to security researchers legitimately participating in bug bounty programs. The full document can be viewed at the Department of Justice’s page. This document provides a framework for organizations to use that are thinking of implementing any type of bug bounty program.
What does this mean for researchers?
Bug bounty programs are still a successful way that organizations can use white-hat hackers and security researchers to examine the security of their systems and applications. According to a Bugcrowd report(PDF), a popular bug bounty platform, over $6 million have been paid out to researchers for bug discoveries, which means numerous security flaws are continuing to be discovered and patched. For researchers, it is a prime way to explore new vulnerabilities and help organizations while doing it.
But it’s important to pay close attention to the scope and documentation laid out by the organization in question. What may be an acceptable action to one organization may be out of scope for another organization. A great way for researchers to engage in these programs is to utilize platforms such as Bugcrowd or HackerOne. These provide lists of companies that have active bounty programs, lay out the requirements and testing limits in clear to understand terms, and allow for reporting through their platforms.
Are bug bounty programs a sufficient substitute to penetration testing services?
While bug bounty programs allow organizations to stay on top of potential security vulnerabilities, these usually target only websites or specific applications. These programs usually do not address other systems such as internal computers or network devices. A professional penetration testing service will allow for a more comprehensive test, including websites, web applications, and internal systems and networks. For more information on these offerings, be sure to check out the services that Phoenix Security Labs offers, and schedule a consultation to talk to our security experts about your personal security needs.