Bug bounty: get paid to chase bugs!

How many times have we encountered a bug while using some software? Sure many times, and it may seem strange but there are activities known as the bug bounty that promise to reward money for those who find bugs in specific software. It may seem absurd at first, why would anyone pay to get bugs reported in their software? It can almost certainly be said that in most cases the reason is to be found in the context of cybersecurity .

Cybersecurity is in fact a delicate issue, and one that has been turning into a very delicate issue in recent years . It is a problem that affects everyone, from small businesses to entire nations. In fact, it is no longer a problem linked to technology itself, but it has also become a problem linked to the human being.

bug bounty

This explains why companies such as Mozilla, Facebook, Yahoo !, Google, Reddit, and Microsoft, among others, push Bug Bounty programs to trick users into finding bugs in their software.

What is the connection between bugs and cybersecurity?

Obviously, it is legitimate to wonder what the link between bugs and cybersecurity is. It is easy to say: in the most of the cases, bugs are the direct or indirect cause of problems in the code of the software in question, which can cause vulnerabilities that could in turn be used to create exploits, thus undermining the security of the software itself.

So here we begin to perceive how complex is the chain of events behind the use of an exploit , and the line of code that allows its use. From here, it can be deduced that the goal of Bug Bounty campaigns is not directly to solve 100% all the vulnerabilities present in a system but to reduce the risk of exposure to a cyber attack .

Can anyone be a bug hunter? Are there any platforms to participate in these programs?

The answer to both questions is, of course, yes! Companies really need people to work on this very specific task , and the work is practically never done. And to make things easier, there are several platforms that allow you to view and participate (sometimes even in a "playful" way by presenting rankings) such as Bugcrowd .

An example would be the ExpressVPN bug bounty program . So why does this company propose such an activity? Most likely it is related to security issues, and by reading the proposal we find as an explanation that ExpressVPN manages thousands of VPN servers and creates multi-platform VPN applications for all major desktop and mobile operating systems, as well as routers and browser extensions.

Therefore, managing thousands of servers and creating various cross-platform applications, the bugs that could be used to attack the company itself could be in the thousands . A company that publishes such contests is usually very confident in the quality of their software and knows that finding bugs that include vulnerabilities in this case could be quite a task .

bug bounty

This is why the rewards are usually quite high , but it is necessary to check carefully what is accepted by the bug bounty program that you are reading and what is required by the company to review and possibly accept the work . An example of vulnerabilities accepted by ExpressVPN's bug bounty program is:

  • Unauthorized access to a VPN server or remote code execution
  • Vulnerabilities in our VPN server that result in the loss of real client IP addresses or the ability to monitor user traffic

The minimum requirements for submitting a bug found is at least proof of ExpressVPN's impact on user privacy . This will require a demonstration of unauthorized access, remote code execution, loss of IP addresses, or the ability to monitor unencrypted (unencrypted VPN) user traffic.

Bugcrowd offers some statistics on the program you are viewing. For example, the one related to ExpressVPN offers between $ 150 and $ 2,500 per vulnerability discovered . The review period is approximately 1 day, and 71 bug bounty activities on this program have been rewarded so far, with an average payout of $ 600.

The birth of the expression "bug bounty"

The first (well-known) bug discovery reward activity appears to have taken place in 1983 for the Versatile Real-Time Executive operating system (a Real Time operating system suitable for System-On-Chip or classic on-board embedded systems). Anyone who found and reported a bug would receive a Volkswagen Beetle in exchange.

However, we have to wait a decade to see, for the first time, the term "bug bounty" officially used. We are in fact in 1995, when Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation, coined the expression "Bug Bounty".

Ridlinghafer noted that Netscape had many product enthusiasts, some of whom could even be considered Netscape browser fanatics. Ridlinghafer began investigating the phenomenon in more detail, discovering that many of the enthusiasts in question were actually engineers who were fixing bugs on the product themselves and posting the fixes or workarounds , either in the online news forums that had been created by Netscape Technical Support or on the unofficial “Netscape U-FAQ” website, which listed all known browser bugs and features, as well as instructions for workarounds and fixes.

Bug bounty article: Getting paid to hunt Bugs! was written on: Tech CuE | Close-up Engineering .