março 03, 2020

[Segurança] Os programas de Bug Bounty das empresas

Recentemente eu achei alguns artigos sobre como algumas empresas estão conduzindo seus programas de Bug Bounty (BB), incluindo alguns casos que eu retirei do site da HackerOne (que tem vários artigos sobre a experiência de seus clientes).

Veja alguns casos abaixo (a notícia / case), com alguns highlights que eu destaquei:
  • Apple: "Apple will now pay hackers up to $1 million for reporting vulnerabilities" (The Hacker News, Ago. 2019)
    • Site: Apple Security Bounty
    • The $1 million payouts will be rewarded for a severe deadly exploit—a zero-click kernel code execution vulnerability that enables complete, persistent control of a device's kernel. Less severe exploits will qualify for smaller payouts.
    • On top of its maximum reward of $1 million, Apple is also offering a 50% bonus to researchers who find and report security vulnerabilities in its pre-release software (beta version) before its public release—bringing its maximum reward to $1.5 million.
  • Departamento de Defesa (DoD): "Carter Announces 'Hack the Pentagon' Program Results" (PC Magazine) (Junho, 2016)
    • Site: Hack the Pentagon
    • Sobre os resultados da primeira edição do “Hack the Pentagon”, em 2016: More than 250 participants submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be "legitimate, unique and eligible for a bounty," (...). The pilot program (...) cost $150,000 (...). "(...) if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million" de acordo com o Secretário de defesa, Ash Carter.
  • Paypal: Blog da HackerOne (Fev. 2019)
  • Oath / Verizon Media: Hackerone Blog (Dez. 2018) e "How Verizon Media beefs up cybersecurity with red teams and bounties" (Março, 2019)
    • In 2018, Oath has received over 1,900 valid vulnerabilities through its private bug bounty program, over 300 of which were high or critical severity. Big numbers mean big rewards — Oath has paid $5 million in bounties in 2018. That’s nearly five times the bounties paid in 2017 and nearly 10 times the bounties paid by Oath brands in 2016.
    • Oath invests big in their top hackers, and in addition to highly competitive payouts, they have hosted four live hacking events in cities all over the world — Goa, San Francisco, Argentina, and a 2018 finale live hacking event in New York City in late November.
    • Yahoo, a brand within the Verizon Media portfolio, started its public bug bounty program in 2013. A public bug bounty program allows anyone on the internet to go through the HackerOne platform to help companies scope vulnerabilities. Other brands owned by Verizon Media, like AOL, had invitation-only, private bug bounty programs accessible through HackerOne. AOL's program focused on specific products and applications in its portfolio. But in April 2018, Verizon Media, then Oath, consolidated into a single program.
    • By the end of the year, the company awarded $5 million in bounties, which is five times the amount awarded in 2017 and 10 times the amount paid in 2016.
  • Google: "Google bug bounty program shelled out $2.9M last year" (Fev. 2018)
    • Google's Vulnerability Reward Program had a big year in 2017, handing out $2.9 million in rewards to researchers across 113 countries, according to a company announcement. More than $1 million each was doled out for Google and Android product vulnerabilities. One bug finder received $112,500 — the largest reward of the year. (...) After seven years of the vulnerability program, Google has now handed out about $12 million in rewards.
  • Dropbox: Blog Hackerone + Blog Dropbox (Fev. 2020)
    • Over the past five years, our bug bounty program has become an important part of improving our security posture, as it is now for many large tech companies. Transparency and defending the rights of legitimate researchers are cornerstones of the progress we’ve made, and the world is safer for it. To those outside of the security community, it may seem counterintuitive that you can make your platform safer by encouraging security researchers to attack you, but that’s exactly the value that these programs deliver. This process of discovering and remediating bugs is key to our maintaining a highly secure organization and increasingly hardened product surfaces. Our bug bounty program is only part of having a complete secure development lifecycle program.
    • Since launching our program in 2014 and tripling our bounties in 2017, we’ve given more than $1,000,000 to bug bounty participants for valid findings submitted to our program.
  • Hyatt: Hackerone blog (Fev, 2020)
    • Site: https://hackerone.com/hyatt
    • Hyatt began its hacker-powered security journey with HackerOne in 2018 with a private program, inviting a handful of hackers to discover and disclose vulnerabilities for a monetary award or bounty. Before launching the public program, Hyatt had already paid out over $5,000 in bounties to 14 hackers. To further deliver on its purpose of care, Hyatt became the first hospitality brand to start a public bug bounty program in January 2019.
    • Hyatt Chief Information Security Officer Benjamin Vaughn: “We believe there is immense value in having a bug bounty program as part of our cyber security strategy, and we encourage all companies, not just those in the hospitality industry, to take a similar approach and consider bug bounty as a proactive security initiative.”
  • Grammarly: Blog Hackerone (Dez. 2018)
    • At Grammarly, we have a strong internal focus on security, but we know we can benefit further from the expertise that the security researcher community can bring through this program.
    • We’ve seen success in our private program, which has nearly 1,500 participants and more than 80 hackers in the Grammarly’s Hall Of Fame. We’re now ready to expand to a public program and welcome many more thousands of security researchers into the program.
  • FanDuel: Blog da Hackerone (Fev, 2019)
    • The FanDuel product and its infrastructure is all developed in-house with a team of 150 engineers covering everything from devops, front end, backend, mobile, security and risk, among others. The entire security and risk team is currently made up of seven people…it was only two when I first started at the company. Currently there are only two security staff who spend part of their time with the bounty programme. With such a small team, it’s impossible to have the time and the skills necessary to successfully do the monitoring and alerting of all our systems, vulnerability scanning, remediation, additional projects, etc. Supplementing the testing with a bug bounty programme allows us to focus on other day to day activities that the security team is responsible for without adding large quantities of staff to the team.
Os programas de Bug Bounty estão se tornando cada vez mais populares, graças a adoção crescente por grandes empresas e pela facilidade de implementá-los, graças as empresas que oferecem este serviço (como a BugCrowd e a HackerOne). Além de oferecer um ganho financeiro as pessoas que contribuem para a segurança da empresa, os programas de BB resultam em uma melhor capacidade de detecção de bugs e vulnerabilidades pois atraem uma comunidade mais ampla e diversificada de especialistas em segurança, aumentando a chance das falhas serem encontradas por pessoas bem intencionadas. O BB também ajuda a criar uma imagem de que a empresa está mais comprometida com a segurança de seus produtos e que está trabalhando em parceria com a comunidade de segurança - reduzindo o conflito entre pesquisadores e empresas.

Para saber mais:


Bônus: Se você leu até aqui, aproveite e dê uma olhada nessas palestras sobre Bug Bounty que já foram realizadas na Defcon:
PS (adicionado em 21/05): Veja também esse post no blog da HackerOne: "Six years of the GitHub Security Bug Bounty program"

PS/2 (adicionado em 08/06): Veja também o outro lado da moeda: "Valve and HackerOne: A story in how not to handle vulnerability reports"

PS3 (adicionado em 21/07/2021): Algumas notícias recentes sobre programas de bug bounty em empresas:
PS4 (adicionado em 27/01/2022): Veja essa reportagem do jornal O Globo sobre bug bounty, com foco na BugHunt, uma plataforma nacional: Empresas recorrem a 'hacker do bem' para proteger dados

Nenhum comentário:

Creative Commons License
Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employee.