Well, let’s go further to analyze the performances on PHDays. I will not evaluate every video, every report, every discussion – this is not very interesting and wrong. How to evaluate a separate IOC, in isolation from a series of indicators that define a whole campaign 🙂 Let’s look at what was said on the topic bugbounty, that is, the search for weaknesses for a reward. I have already written about this topic more than once, so today it makes no sense to repeat what the classic bugbounty program is and why it is needed. It is interesting to look at something else – how bugbounty projects are implemented in practice in commercial and, importantly, in government organizations.
In the discussion “Bugbounty! Is there a result?!” under the direction of Dima Kim from Positive Technologies, I really liked the position of Dmitry Gadar from Tinkoff Bank, who looks at the BB much wider than usual, and asks non-banal questions from the point of view of CISO, and not just a bug hunter:
If a vulnerability was found in bugbounty, then why didn’t secure development processes find it? Why didn’t the internal scanners find her? What was the researcher doing inside and why didn’t the SOC react to it? How far did the bughunter go inside?
Since representatives of state power are no longer allowed to use anglicisms, according to Vladimir Bengin from the Ministry of Digital Development, bugbounty is a public search for vulnerabilities for a fee! I think we should wait for the appearance of such a definition in the regulations 🙂 Vladimir also shared his experience of launching such a programs on the portal of public services – it took 365 days, as it required a lot of approvals and justifications “why all this is needed.” Interestingly, Dmitry Gadar has the experience of launching such a program in 1 (one!) day!
But all the participants in the discussion, as well as other information security events that took place relatively recently, agree that it’s not worth starting an assessment of your real security with a bug bounty – the organization may simply be immature in this matter and the number of holes it may simply roll over. Therefore, you should first establish processes for finding vulnerabilities, secure development (if any), and only then invite external hackers to search for weaknesses. Vitaly Lyutikov, Deputy Director of the FSTEC of Russia, spoke about the same in another section, saying that it is too early to include the bugbounty requirement in the information security certification process. For me, this will just force vendors to take better care of their products and services and raise the level of real security provided to their customers. But, apparently, it is better for the regulator to know about the quality of products that are submitted for certification.
How to check that you are ready for a bugbounty? Recipe from Vladimir Bengin: if you passed a normal pentest and within a month after it, they were able to eliminate all identified vulnerabilities, which means you are ready to the bugbounty!
In general, the experience of the Ministry of Digital Development in this matter is quite interesting. And how they generally agreed to this, and how they solved the issue of remuneration, and plans to develop and transfer this experience to other government agencies and government information systems. I’ll note right away that there are no plans to include this topic in the 676th Government Decree yet. But the TK template, the contract template, the description of the Mintsifra process already ready to share with other government agencies that want to improve the security of their systems.
Director of Cybersecurity Department, Ministry of Digital Development
In the professional community, it is believed that how much you pay for a critical vulnerability is exactly the level of maturity of your organization on a bugbounty. And if we pay with merchandise, with a coin, with a scarf, or with a public pat on the shoulder, then this is rather strange. Suddenly, someone will think that we do not have such a level of maturity.
Ilya Safronov from VK shared his experience not only participation on external Bug Bounty platforms, but also the organization of internal history, when employees themselves can find bugs in systems, report them to the internal portal and receive domestic currency, for which you can then get something necessary and useful. At the same time, fears that developers will deliberately leave critical vulnerabilities and then get paid for it are broken by the practical experience of both VK and Tinkoff, who have not encountered this. Well, judging by the discussion, there are methods for assessing possible abuses that exist, but which colleagues did not disclose publicly, giving some hints during the discussion.
Dmitry Gadar shared other life hacks that were implemented in Tinkoff:
- Month of bug — an annual month of finding bugs, during which employees look for bugs inside systems and receive prizes for this (laptops, vacuum cleaners, etc.).
- Internal CTF for employees.
- “The Diaries of a Hacker” — descriptions of vulnerabilities regularly sent to developers.
- Data Breach Bounty – detection of processes that use PD more than necessary, detected data on internal portals, ways to bypass DLP, extended rights in different internal systems, etc.
- In the course of the discussion, Dmitry came up with a new story – “fishbounty“when successful phishing of an organization is paid.
Projects similar in some places were implemented in VK, but they also connect ordinary users who report on certain problems found in various company services, for example, VK ID. And Wildberries, together with VK, actively participated in Standoff Hacks, a closed competition for legal hackers to find vulnerabilities in their systems. And all these stories have one thing in common – pay for results, and not like in a pentest – payment for a process with an incomprehensible result in advance. At the same time, all participants agree that this is the cheapest option for assessing their security (subject to the condition of having at least some kind of built-in information security process that will eliminate the identified holes).
But the search for vulnerabilities or errors in the processes of processing personal data is not all where the idea of a bugbounty can help. For example, the Ministry of Digital Development is attracted by a more interesting story – the launch of an infrastructure bugbounty, aka maximum pentest or redteaming under an open offer, when entire teams of white hat hackers compete not in searching for vulnerabilities on the perimeter, but in penetrating inside it, which is closer to the real fears of a business that understands little about vulnerabilities and exploits for a website, but at the same time understands very well what is penetration into the organization. So far, the Ministry of Digital Development has not implemented such a story, but wants to go in this direction.
But Positive Technologies passed this stage, running last year bugbounty for invalid events, within which research teams must not only find a vulnerability on the perimeter, and not successfully implement phishing, once inside the infrastructure, but do what the business considered unacceptable for itself – stealing money, stopping production, stealing audit reports, introducing malware into the code for subsequent implementation of supply chain attacks, power cuts, etc. This requires not only higher qualifications, but also an understanding of the business that you are breaking. But this is exactly what the business understands without any questions, what it is willing to pay for, and what checks the real level of information security in the company.
And for IS researchers, this is a way to immediately get a lot of money. Unlike payments of hundreds of thousands of rubles for found bugs as part of a classic bug bounty, in the BB program for unacceptable events, the amount of remuneration measured already tens of millions of rubles.
But this is not all that was said on PHDays about bugbounty. I got another talk in the blockchain track that was about finding vulnerabilities for a reward in, which is not surprising, distributed registries And smart contracts. Given the youth of this technology and the low level of security in the development process, this is a very promising direction, as was shown in the report by Alexander Mazaletsky. Millions of dollars in payouts, a quarter of vulnerabilities are critical …
There is something to be interested in bughunters who can earn absolutely legally and quite worthy sums on their competencies, at the same time demonstrating to businesses that underestimating information security issues can lead to invalid events. For example, it is still not very clear what happened to the Mt. Gox in 2014, when, after possibly stealing 740,000 bitcoins (6% of all existing in the world) and being unable to meet its obligations to customers, it was forced to declare bankruptcy.
This is probably the end of my review of the individual but awesome bugbounty stories that were heard on PHDays. But in fact, there were several other speeches in the program related to this topic and which reveal other aspects related to this topic:
- How did people get into bag hunters and is it possible to make money on it?
- How to enter the bugbounty platform or launch your own internal program?
- How much does it cost to launch a bugbounty and how to form an annual budget for this program?
- What is better – an external platform and your own program?
- How does the security.txt file at the root of the site attract bug hunters?
- How do companies that run their own bug bounty programs screw up and squash bug hunters?
- Numbers and statistics of Russian bugbounty programs
- Legal issues and communication with businesses regarding attracting hackers to their systems
- Community work
- Do blackcars use legal bugbounty platforms?
- life hacks
Ufff, like all described. You can also breathe!