Recently, the pentesters here at White Oak Security have run into some common frustrations regarding bug hunting on various platforms. These can be broken down into several categories – communication, scope, and recognition.
This post will discuss some of those bug bounty frustrations that I am sure others have run into, although to preface – these opinions expressed in this post are my own and may not align with other individuals within the industry…
Bug Bounty Communication
Security researchers and pentesters that discover a security vulnerability must try to find ways of communicating that with the vendor. This seems simple, but can sometimes be a time-consuming process. The following list describes a few ways that White Oak Security utilizes to determine a proper communication channel:
- Does the vendor have a bug bounty program?
- Bug Crowd, Synack, HackerOne, etc.
- If found during a client assessment – does the client have any relationship with the vendor?
- Are there any responsible disclosure instructions on the vendor’s website?
- Are any security-related emails discoverable on the website? If not, we use some generic emails such as
- If needed, the Contact or Sales form on the website
- Any social media accounts?
Nowadays, companies are not always receptive to receiving news about security issues with their products or offerings. Most of the communication results in radio SILENCE…. This can be frustrating from a researcher’s standpoint that is trying to relay sensitive information in the most preferred method possible.
The biggest takeaway here is to keep trying – exhaust as many avenues of contact before posting any details online. Public disclosure without a fix is really the last resort to spread awareness of any security issues.
Bug Bounty Scope
Organizations that enlist the help of bug bounty programs or have a bug bounty submission process on their website will often list an “in-scope” section. From a researcher’s standpoint, why wouldn’t the organization allow all of its resources to be “in-scope”? We have run into multiple situations in which we have discovered a Server-Side Request Forgery or Insecure Direct Object Reference vulnerability on a very large company application, but come to find out that it’s “out of scope” and they don’t accept the submission. This can be SO frustrating!
However, let’s look at this from the standpoint of the organization – an overwhelming number of findings, received by many unknown sources, all require some sort of validation effort to ensure the quality of these submissions. The organization may not have the financial resources to pay the bounties or the number of employees required to keep up with the validation effort. If a high-risk bug is discovered that is “out of scope”, is it no longer exploitable?
I would still strongly urge organizations who have bug bounty programs to accept (or provide a contact form) for any submissions that are “out of scope”. Potentially even move them to a “review later” file for when/if there is some downtime or the in-scope submissions have slowed, the backlog of “out of scope” submissions can be reviewed, but concede that any reward may be skipped for this item.
Bug Bounty Recognition & Reward
One of the biggest frustrations that I would consider is doing all the hard work of finding a security vulnerability and not receiving recognition for it. This could be a two-sided argument – from the company standpoint of not having “bad press” of someone discovering security vulnerabilities in their products. Understandable.
Nevertheless, from the researcher’s standpoint is gained credibility and is looking for some publicity to showcase learned skills, add to resumes, or just to build an online persona. Companies looking to add some recognition could easily have a “Hall of Fame” section that doesn’t necessarily give away any details of issues discovered – but allows the researcher’s name (or online handle) to be displayed.
Mature organizations understand the value of security information and at times compensate good guys in order to prevent bad actors from taking advantage of them. This, at times, can build relationships with security researchers, having them watch your programs and have your back, and makes them feel appreciated.
Bug Bounty Hunting
Bug bounty hunting or security research is here to stay and won’t be stopping anytime soon (or ever). However, the way we handle it can change – the researchers and organizations must work together. Here at White Oak Security, we are establishing guidelines and processes for submissions and reaching out to organizations through proper channels.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.