Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
2. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 2
3. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 3
4. History of Bounty Programs
1995 - Netscape 2010
2002 - iDefense Google Chromium
2004 - Mozilla Firefox Deutsche Post E-Postbrief
Google Web
2005 - ZDI
Mozilla Web
2007 - Pwn2Own
Barracuda
2011
Hex Rays
Facebook
OWASP 4
5. Types of Programs
Open to all - Reported Central “Clearing House”
direct to software maker (2002) iDefense
(1995) Netscape (2005) ZDI TippingPoint
(2004) Mozilla Firefox
(2010) Google Chromium Pre-Approved Teams /
(2010) Google Web Competition
(2010) Mozilla Web (2007) Pwn2Own
(2010) Barracuda (2010) Deutsche Post E-
(2011) Hex Rays Postbrief
(2011) Facebook
OWASP 5
6. Programs for the Web
Mozilla Web Bounty General Policies
$500 - $3000 Select web sites in
Google Web Bounty scope
$500 - $3137 Critical issues
Facebook Security Bounty Paid for new issues
Typically $500, paid up to (not dupes)
$5000
OWASP 6
7. Bounty Programs - Why?
User & user data safety is #1
Productive relationship with community
Work directly with researchers
Consistent security at scale is hard
Not competing with black market
OWASP 7
8. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 8
9. Mozilla Web Bounty - Scope
‣ Goal: Protect Users
‣ Critical issues such as xss, csrf, code injection, authentication flaws
Sites In Scope
- bugzilla.mozilla.org - www.getfirefox.com
- *.services.mozilla.com - addons.mozilla.org
- getpersonas.com - services.addons.mozilla.org
- aus*.mozilla.org - versioncheck.addons.mozilla.org
- www.mozilla.com/org - pfs.mozilla.org
- www.firefox.com - download.mozilla.org
OWASP 9
11. Mozilla Web Bounty - Bugs Reported
!"#$%&"'()*+,(-(."/(0,(1*#2345&"(
%&#$
'()$*+,-$
!"#$ .+/01234(-$
OWASP 11
12. Mozilla Web Bounty - Types of Issues Reported
!"#$%&'%()*+#,-'%
(#$ &#$ )#$
'#$ *++$
%"#$ ,-./0$
1+02$
!"#$
%&#$ 3456-$
+78349/1-$
:6-.$
-8+$
OWASP 12
13. Mozilla Web Bounty - The Reporters
How Many Bugs Are People Submitting?
Number of Bugs Submitted Percentage of Reporters
1 Bug 47%
2-5 Bugs 33%
6+ Bugs 20%
Top 11% of bug finders contribute 56% of bugs
OWASP 13
14. Mozilla Web Bounty - What is Submitted
Failure in design patterns - ex: image uploads
Procedural gaps / forgotten servers
Smaller traditional bugs
OWASP 14
15. Mozilla Web Bounty - The Bounties
$104,000* Total Paid (since Dec, 2010)
175 Bugs Submitted
64 Qualifying bugs
24 Paid Contributors
* Mozilla Web Bounty, not including Firefox Bounties
OWASP 15
18. Mozilla Web Bounty - Benefits
Engages community
Produces many high value bugs
Bounty is not purchasing silence
Security at huge scope
Identifies clever attacks & edge cases
OWASP 18
19. Mozilla Web Bounty - Lessons Learned
Initial spike of work load
Prepare necessary teams
Response time & communication is critical
Researchers & directions - not always a perfect
match
+,-."+/"0123"
#!!"
#$"
+!"
*!"
)!"
(!"
'!" %&"
&!"
%!"
'*"
$!" '!" '!" ')"
'(" '&"
$"
#!" !" !"
!"
,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##"
OWASP 19
21. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 21
22. Bounty Programs - Why?
User & user data safety is #1
Productive relationship with community
Consistent security at scale is hard
Not competing with black market
OWASP 22
23. Launching Your Own Web Bounty Program
Bug bounties are an enhancement, not a substitute
for any portion of a secure SDLC
OWASP 23
24. Bounty Programs - Preparation
Gain developer & team lead support
Check your code
Define clear reporting process
Define scope and types of issues
Build team to respond to reports & establish
response time goals
Announce program
Root cause analysis
Learn & adjust
OWASP 24
25. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 25
26. Bounty Concerns
Common concerns with web bounty programs
Encourages attackers
Too expensive
Veil of cover for attackers
Bounty program duplicates internal security work
Can’t compete with black market
We’ll address why these concerns aren’t necessarily valid
OWASP 26
27. Bounty Concerns - Encourages attackers
Bad guys already attacking you
Without bounty program good guys afraid to test
or report
Bounty program enables participants that will help
you
OWASP 27
28. Bounty Concerns - Too Expensive
Very high value
Compare bounty payout with equivalent 3rd party
testing
Provides continual testing
Use individual bugs to identify root cause flaws
What percentage of profit spent on security?
OWASP 28
29. Bounty Concerns - Veil of cover for attackers
Goal is to identify flaws, not identify bad guys
One possible deployment:
Full security controls & active blocking in prod
Setup public stage for testing with dummy data
Configure production to actively blocks attackers
Stage area could be next revision of code for prod
OWASP 29
30. Bounty Concerns - Duplicates Internal Security
Work
You don’t know what you don’t know
Identifies process breakdowns
Identifies areas for training in secure sdlc
Another tactic to protect users & critical data
OWASP 30
31. Bounty Concerns - Can’t Compete with Black
Market
Bounty programs and black market target different
audiences
Some people are bad, but many people are good
Many don’t want hassle or questionable ethics/
legalities of black market
OWASP 31
32. Bounty Concerns - Can’t Compete with Black
Market
Black market process Bug bounty process
Identify critical issue Identify critical issue
Weaponize exploit
Report issue to
Find buyer on underground
reputable program
market
Negotiate price Receive bounty from
Give bank account info for organization
wire transfer? Arrange Feel happy you’ve
meeting for large cash helped the world be
exchange?
safer
File appropriate tax
returns?
OWASP 32
33. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 33
34. Conclusion
Web Bounty Program works great for Mozilla
Recommend exploring how this may work for you
Leverage lessons learned & evaluate risk/benefit
OWASP 34