Bug Bounty and Cybersecurity in 2020

Hacking is rather seen as dangerous or in a bad light. But many hackers make their living out of using their hacking skills for ethical purposes.

Bug Bounty refers to the programs organized by companies, software developers and websites to find and report bugs in exchange for recognition and compensation.

Bug Bounty Industry

Bug Bounties are becoming popular and about $40 million are pour into the program by the industries per year. Bug Bounties saw a rise in the year 2019 when Hackerone(a company bringing ethical hackers and organizations on the same platform) data revealed that companies like IBM, Google, Toyota, Goldman Sachs, Dropbox and General Motors paid about $45 million in bounties, which was more than all the amount given combined before 2019. The organization also witnessed the number of hackers doubling from 300,000 to 600,000 from 2018 to 2019.

There are a lot of platforms available for this billion-dollar industry. Bugcrowd is a platform that lists the bug bounty programs for different companies and invites hackers from around the world to find vulnerabilities in return for suitable incentives, mostly crash prizes.

Bug Bounties for some is a hobby while some rely on it for a living. Over the past decade, many hackers have made a fortune, while many others have earned a pretty good amount. According to HackerOne, about 181,000 vulnerabilities have been reported since 2012, amounting to more than $100 million in rewards. On average, a bug report rewards $975 and went up to $4000 this year.

This year, an Indian hacker, Bhavuk Jain, bagged $100,000(75 lakh rupees) by reporting a critical bug in apple. In another incident, a 22-year-old boy, Zonal Sougaijam, from Manipur(India) found a bug in Whatsapp’s video call feature, which led to his winning a bounty of $5000.

Impact on Cybersecurity

“To tackle a thief a cop has to think like a thief.” This is true in the case of cybersecurity too.” To tackle a hacker, a hacker is needed.” Bug Bounty does the exact. These programs invite hackers from around the globe to exploit software and report vulnerabilities to the companies. No matter how strong a development team or security team a company has, there is always a chance of loopholes and bug bounty help reduce the loops further. Many tech companies have benefited so far with the help of bug bounty programs, which helped companies secure confidential data and billions of dollars and not to mention the face value.

Though highly effective, these programs do not eliminate the need for an in-house security team and step-by-step procedures required to safeguard software.

Apart from it, bug bounty poses a challenge for the companies in setting the bounty scope, proof of hack, information sharing methods, and rewarding schemes. It also exposes the vulnerability found at risk to be exploited before getting a fix.

Safely reporting a bug to companies is in itself a task in order to prove it a valid entry and actually getting a reward. Facebook has its own bug bounty program where we just need to fill up a form explaining them about the bug, told Zonal Sougaijam in an interview with The Quint.

Test Cases

A recent study by Hackerone on the British Airways data breach exposing and stealing data of about half a million customers, which led to a fine of $231 million by the Information Commissioner Office(ICO) in the United Kingdom, was accessed via a third party JavaScript vulnerability which carries a value of not more than $10,000 on a bug bounty program.

During a bug hunt in Apple sign-in feature, which came out to be a major vulnerability, Bhavuk Jain found that the newly rolled out feature of sign-in with apple(similar to sign in with Google, Facebook), an account could be accessed by just knowing their apple id. The bug secured him a fortune while he secured the data of millions of Apple users from getting exposed.

Many companies do not participate in bug bounty programs. They even don’t have a vulnerability disclosure policy, restricting the independent bug bounty hunter from discussing the vulnerability with the security community. From the Forbes list of 2000 companies, 93% do not disclose their vulnerability.

How to get started with Bug Bounty

Before practicing and being an expert of the tools, a thorough knowledge about networking, protocols hardware and I/O is needed to understand the working of applications, different systems and data transfer methods over the internet.

Before starting your bug bounty journey, the last step is to take real-time labs to get good hands-on practice.

An ocean of free resources exists on the internet. Bug bounty websites like Bugcrowd, Hackerone, Intigriti, Cobalt provide many test cases, webinars and interviews to gain knowledge. Even government programs are getting popular nowadays, providing Bug Bounty programs on apps like Arogya Setu (app under Indian government) with a cash prize totaling 400,000 rupees. Many professional certification courses help in starting a career in bug bounty. Apart from it, which is personally recommended is to follow the youtube channels of actual bounty hunters who provide an insight into the life of bug bounty hunters. HackerSploit, Nahm Sec, Stok are some excellent channels to start with.