Approaching Bug Bounties with an Ethical Mindset

The term ‘Bug Bounty’ may be an unknown term to you, but for some it may spawn images of Star Wars bounty hunters; rest assured it has nothing to do with wet work or killing. The phrase was coined for the modern age, which sees companies having open invitations for anyone to try to find security flaws in their products and systems. Upon discovering a flaw, it is up to the individual to liaise with the company in question to responsibly disclose their findings in a secure and ethical manner.
Now this all sounds well and interesting but there are very important things that differentiate bug hunting versus hacking. Bug hunting is usually done so when a company has an open agreement to have their systems tested. Provided you follow set terms and conditions of what is in and is not scope. Approaching all testing and hunting with an ethical mind-set is key here, as some may be inclined to find bugs and actively exploit these to extort companies for money, which is illegal and must never be done, as you will get in SERIOUS TROUBLE.
Responsible disclosure is one of the most important processes in reporting vulnerabilities to companies. Whether that be, via a bounty scheme or similar, as it ensures that issues are communicated privately and not openly discussed with the wider community. Subsequently, once agreed by the company in question, either they will publicly thank the parties involved in the submission, or allow the submitters to openly discuss their research and subsequent vulnerabilities/disclosures.
Ok, but what happens when a company does not have a bounty scheme? Similarly, how do I even tell if a company has a bounty scheme?
Checkout Bug bounty sites such as hackerone (https://hackerone.com) and bug crowd (https://bugcrowd.com) for information on participating companies.
Email company requesting a PGP key or security contact to report your findings responsibly.
HOWEVER, make sure that before you do anything that you acquire approval from the company in question. Failure to do so risks you breaching the Computer Misuse Act 1990 and is a criminal offence.
I, myself have found several vulnerabilities in a multitude of companies, responsibly disclosed these and subsequently been rewarded in various forms. This process is a great kickstarter for learning and adds massive value to your CV, especially being able to say that you have submitted findings to companies responsibly. Adding to rewards from companies, what can often happen instead of monetary rewards a company will put your name or ‘hacker handle’ in their hall of fame for others to see and admire.
Speaking from personal experience having bug bounties on my CV made it much more appealing to my current employer who asked me to talk through some of my findings in interviews
The main points to keep in mind when approaching both bug bounties and testing is having your ethics in check. If you discover something that you think could be an issue, even if not that serious, always report back to the client or company you are testing, as not doing so could have negative repercussions later on.
Right, so what does the process of finding bugs actually look like? Here is an example of reporting a cross-site scripting (XSS) vulnerability:
When first starting off, I began looking at different XSS payloads, starting with the basics and move more towards the advanced techniques. Fairly early in I noticed that it was possible to append JavaScript to the end of a URL, which was tested using a payload of: alert(‘BugBountyExample’). This could be used by an attacker or malicious individual to include more malicious JavaScript that could have much worse consequences.
This was reported to the company as per the responsible disclosure process outlined, including all details of the testing performed and the relevant test results.
As can be seen in the screenshot above, the payload is launched upon rendering the page via the URL. This is cross site scripting in a very basic form. For more information, have a look at the OWASP website.
The benefit of reporting vulnerabilities to companies via sites like hackerone is that the holes tend to be patched quicker and recognised as valid issues, resulting in successful disclosure and remediation. It makes your life a lot easier and allows you to track the process of the issue, and companies will usually interact and let you know the progress of the submission. Often they will also request you to try the vulnerability again upon them remediating it to double check it has been fixed prior to marking it as resolved.
The first example was a real site and a valid vulnerability classed as low severity hence the $50 pay out.
Moving forward, to reemphasise further information on bug bounties can be found by browsing both Hackerone and Bug Crowd as main sources however there are other programs available from using search engines to discover these. Most large name brand companies have bounty programs for their products and with little effort, information on the scope of these can be found on their sites respectively. Not only are they financially rewarding but bounties can also be very fun. I have found that I have learned a lot from doing them in the past and they have opened many doors in day-to-day pen-testing life.
To learn more about discovery of web application vulnerabilities I highly recommend you check out OWASP for free information or if you are more traditional and prefer books, check out the Web Application Hackers Handbook 2.
On a final note, understand that hacking and bug bounty hunting are not the same, disclosure must be handled responsibly as if not done correctly will land you in serious trouble, also understand that companies without bounty programs can take legal action against you if you attack their systems, even if you mean no harm. The bottom line is do not be stupid, do not hold companies to ransom and be responsible when finding and disclosing vulnerabilities.