github email
Ethical Hacking and Bug Bounties
Feb 13, 2019
3 minutes read

How ethical hacking and bug bounties are impacting stakeholders

Each year, there are an increasing number of data breaches, scams, ransomware and phishing attacks. Due to the growing attack surface and shrinking field of security experts, the risk to businesses has greatly increased (Ellis 2018). Bug bounty programs provide a regulated and facilitated marketplace platform which allows ethical (or white hat) hackers to test and disclose critical issues to businesses in a controlled environment.

From the perspective of the business, ethical hacking and bug bounties provide an affordable solution to dealing with bugs related to either the functionality, appearance or security of a system or web application. This phenomenon has come about due to the fact that no system is invulnerable to exploits (Smith, Yurcik and Doss 2002). This is mainly due to the lack of quality software testing and the adoption of software design methodologies where software is simply pushed with little testing and patched for bugs after launch. Bug bounties benefit the business by providing a regulated marketplace platform which allows businesses to define the scope, payouts and processes which the white hat hackers are allowed to do. This is incredibly important to businesses, as hacker feedback allows them to maintain an advantage over malicious attackers (Ellis 2018). However, trust is the core element of this phenomenon and encouraging hackers to potentially infiltrate systems and gain access to sensitive data is still quite risky and relatively new.

In a case of misuse, the Uber breach is a good example of a company using their bug bounty program in a way which is not considered ethical. After having their data stolen by a 20-year old hacker, Uber proceeded to cover up the breach whilst under investigation and pay the $100,000 ransom through their bug bounty program (Bugcrowd 2018). This has both tarnished Uber and the reputation of the bug bounty community, as it blurs the line of bug bounties being used for rewarding constructive ethical hacking or the payout of ransoms (Ellis 2018).

Bug Bounties provide ethical hackers with a means to improve their skills set and start or progress in the security industry whilst also getting paid. It wasn’t until recently that companies were often dismissive or even hostile towards hackers who had disclosed a vulnerability to their site or network. This all changed when a Palestinian Hacker found an exploit which allowed him to post on Mark Zuccerburg’s Facebook profile. Since then, Facebook has paid out a total of $US6.3m, with 12,000 bug reports submitted in 2017 along with a payout of $US880,000 (Field 2018). Although there are great monetary benefits to white hat hackers, they must abide by the rules of engagement and may be in constant tension to go out of the scope of the bounty (Laszka et al).

How you can implement things you’ve learnt throughout the week to test web apps under a responsible disclosure program

With the small amount of knowledge and experience I’ve gained about web app attacks, there are a range of responsible disclosure programs that I could participate in.

This includes Bugcrowd which is a crowdsourced security platform which connects businesses with hackers to cover a large and critical attack surface. A popular marketing platform, Hubspot, has launched a bug bounty program which lists Cross-site Scripting (XSS), Cross-site request forgery (CSRF) and authentication/authorization flaws as issues that they wish to have disclosed to them. These such issues are very common and critical web app vulnerabilities which have covered theoretically in class, with XSS being the number one vulnerability listed on their Top 10.

Bugcrowd - Hubspot

  1. <> https://www.bugcrowd.com/why-ethics-matter-in-bug-bounties/
  2. https://www.researchgate.net/publication/3955165_Ethical_Hacking_The_security_justification_redux/download
  3. https://www.forbes.com/sites/forbestechcouncil/2018/01/11/bug-bounty-ethics-in-the-aftermath-of-the-uber-breach/#6753a4735a86
  4. https://medium.com/@Hacker0x01/vulnerability-disclosure-policy-basics-5-critical-components-f530050f5352
  5. https://fc18.ifca.ai/preproceedings/105.pdf
  6. https://www.smh.com.au/technology/bug-bounties-facebook-google-apple-offering-millions-to-entice-white-hat-hackers-to-find-their-flaws-20180307-p4z35f.html
  7. https://www.forbes.com/sites/forbestechcouncil/2018/01/11/bug-bounty-ethics-in-the-aftermath-of-the-uber-breach/#5112c4825a86
  8. https://bugcrowd.com/hubspot

Back to posts