We should always, always plaude and praise companies that are at least this serious about bounty programs.
Two years ago, despite I wouldn't call myself the deepest technical person on the planet, I found a terrible bug that exposed 1.1M records for a bay area startup. (edit: the bug was really easy to find, it was a form of URL injection. I couldn't even believe that bug was there in the first place).
I reached out to them multiple times, only to realize they were going to ignore me in perpetuity. I didn't even want money, I would have been happy just to see the bug fixed. (I never helped fix a bug that another company had). Nada.
A less scrupulous person would have sold that information and exposed data for 1.1M people.
I am not naming the company here, even though they would totally deserve it.
I once reverse engineered a Gmail worm found in the wild. The underlying exploit ended up being a security scan bypass in Google docs. I spent a lot of time submitting a bounty report, but I made one fatal mistake: I used URL redirection in the PoC. It was automatically rejected even though that was an example of content that the scan normally detects, not the actual vulnerability. It was closed as not eligible, then silently fixed a week later.
Edit: I checked the emails to refresh my memory. A human acknowledged that it was a flaw in the security scanner and forwarded it to the drive team, then a bot (AFAICT) determined that it was not eligible based on metadata in the report.
Edit 2: I did get one thing out of it. They sent me an invitation to a Bounty Craft event in Las Vegas during Def Con which I was attending that year (likely the actions of another bot scraping the email list). I got there early and accidentally sat down in the Microsoft Security Response team's couch area while they were all up getting food. They were nice people. They realized I never picked up swag on the way in and someone took me back to the door to get it. Apparently since I was with one of the event organizer and they said "you forgot to give him a t-shirt" they assumed I was staff and gave me a staff t-shirt. The event was 100% about how the sponsor companies were investing in automated fuzzing technologies and basically didn't need bug bounty hunters anymore. Slap in the face.
I understand the point you're making about incentives, but the phrasing is poor. The reason people shouldn't sell exploits to the highest bidder isn't because the vulnerable software author refuses to pay a bounty.
People shouldn't sell exploits because it's a crime that hurts people.
In the movie Independence Day the aliens computer systems were hacked with a few hours worth of work. Why were they hacked and destroyed? Because nobody reported and worked on security incidents of course. Why would anyone need to in a militaristic society?
My story is silly, of course, but the point is real. If you don't attack and then fix systems, a lot of people will get hurt.
That's better phrased, indeed. The problem with your earlier statement is that the incentives are not for the people you are talking about.
You don't offer rewards to prevent criminals from selling exploits. Criminals are going to sell exploits anyway. Bug bounties have nothing to do with criminal behavior.
Bounties are there to incentivize the honest people to do security work. And the response of an honest person being denied a bounty IS ABSOLUTELY NOT to turn around and sell it.
>I am not naming the company here, even though they would totally deserve it.
I do wonder to what extent the culture itself of how we approach bugs is designed to benefit companies over consumers. That we avoid naming and shaming due to a chilling effect of blow back, that we have disclosure windows, that the legal framework for reporting bugs is so flaky, that we are all accustomed to bad security practices and getting our data hacked, it all feels like it is architected to benefit companies who rarely suffer from hacks (sometimes there is a significant cost, but that rarely outweighs the profits).
It reminds me of identity theft. The entire concept that you lost money because your identity was stolen from you, that the bank (or other company) who feel for the fake victim isn't even a party to the actual crime, pushes the costs onto consumers. Instead of seeing it as the banks being the victim and thus responsible to bear the costs that aren't recoverable from the criminals, is is their customers who are. Thus it reduces the cost to the bank of poor identity management. An entire culture that offloads the costs of the bank's penny pinching onto consumers.
Another such examples is when the early automotive industry pushed for people to view jay walking as the crime, shifting blame onto pedestrians for being in the way of cars.
Another aspect of this is the taboo of discussing salaries / compensation with your peers and coworkers. Sure, it might be a bit "low class" to be concerned with money like that, but you know what? We're all mostly working class, and it's in our interest to discuss wages.
It's in your interest to discuss wages if you're paid median or below wages. Wait till you're paid many multiples of your coworkers and then see how you feel about it. The taboo does nothing for most workers, but does protect people who are highly compensated.
Please become less scrupulous! If that bug isn't fixed, that's just another in a long line of disposable bay area startups run by rich careless people—certainly none of which lurk on HN—who treat sensitive customer information like used tissue. I'm sure there's a way to do it where you don't expose the data, but I'd thinknofnit as a favour to a million people.
I also found a terrible bug recently, that could cost this company millions of dollars.
Basically, the company has physical stores and also sells stuff online. Stuff bought online can be returned in store. However, if you bought an item online which was on sale, you could return in store for the full amount. I returned a laptop which I bought online for $999 and received $1399 back.
I think it was due to the fact that the store runs on iSeries/AS400 and the website is in .Net. I happen to work with both, and I can imagine that there is a lot of pain to make the systems work together.
Quite a lot of companies are vulnerable to forms of this, but will notice if you try to exploit it for "millions of dollars". It normally doesn't have much to do with what technologies they use internally.
I think most times I've returned anything, I've had to show the original receipt, so it'd be pretty obvious to them if I bought the item at a discounted price.
If they didn't bother to look at the receipt for your laptop... well, that seems like negligence on the part of the staff handling the return.
I'm wondering what the right approach is in such a situation. If they don't fix the leak, do you keep quiet or go public? Going public puts them under much more pressure to fix their shit, otoh, bad actors have probably more than enough time to scrape the data. But the other scenario bears the risk of some other bad actor also having discovered it and silently abusing the data. Considering the leak goes unfixed and the company grows they might some time be able to scrape data of ten times as many people.
So would you rather actively help leaking 1m records to public or potentially have someone else getting 10m a year later, but not having anything to do with it directly?
Thinking about it you might try and contact a bigger tech news site to get the companies attention.
They do. It is important to warn their customers about their practices. They had their chance and proved they're absolutely incompetent and shouldn't have anyone's data.
But I wonder what if a developer purposely plants a bug then ask his friend to report it and split the bounty. It seems it's easy to take advantage of such programs internally?
The repository would show who wrote the bug in the first place, and it would have to pass code review. One would have to wait for the developer to leave the company before activating this scenario.
Right now I know of 5-10 serious (100 million plus user data in total) bugs in multiple startups in India. I have reported to them and haven't heard back. The problem is especially severe in India.
If you have been able to access that data, chances are someone else has too. And the data might as well be considered as having leaked already. I wonder if the right course of action would be to send it to haveibeenpwned.
I assume this company has customers in the EU. If the bug still exists today, try dropping a GDPR complaint to one of the European data regulators. Though they have limited resources, they have started taking these things pretty seriously [1] and will look _very_ unkindly on a failure to report the breach or address it.
Two years ago, despite I wouldn't call myself the deepest technical person on the planet, I found a terrible bug that exposed 1.1M records for a bay area startup. (edit: the bug was really easy to find, it was a form of URL injection. I couldn't even believe that bug was there in the first place).
I reached out to them multiple times, only to realize they were going to ignore me in perpetuity. I didn't even want money, I would have been happy just to see the bug fixed. (I never helped fix a bug that another company had). Nada.
A less scrupulous person would have sold that information and exposed data for 1.1M people.
I am not naming the company here, even though they would totally deserve it.