No announcement yet.

Vulnerability reporting - Bounty program experiences, comparisons, reviews?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Vulnerability reporting - Bounty program experiences, comparisons, reviews?

    So, I've been poking around to find out what vulnerability and exploit selling programs are out there, what folks think about 'em, and what experiences folks have had.

    I've long known at least something about ZDI ( and various bounties from a few individual software companies and a few bold programmers - and CERT, etc.

    My experiences thus far bringing vulnerabilities to large companies (a few banks, a few software companies, and a hosting company) is that they (appear to) ignore them or stick their heads in the sand shamelessly. If they then receive nasty publicity, they round the wagons, and don't respond, or in one case launched a massive, expensive PR and lawyer-backed multi-year cover-up before fixing the bug. Often the problems don't get fixed for years - until the vulnerable system happens to be replaced with something completely new.

    The vulnerabilities I find generally have put customers or customer information at risk and exposed the companies to serious liability. I find that lately, I'm tripping over vulnerabilities with increasing frequency. I haven't to date solicited or demanded compensation, but being altruistic has brought almost nothing but grief. (Only one large company and a few small companies handled my reports responsibly; none offered compensation, thanks or even acknowledgement were very rare.)

    I haven't found much info, but a lot more than nothing. Here's a summary of what I found:

    I tried searching here and found that
    has a bad link that some admin with access to the 'Rules' account might want to fix. Of course, I did manage to do some searching anyway, and found and was one of the better articles I found.
    So, iDefense's program doesn't seem to be described on their site anymore; I wonder if it's working. ZDI seems to be alive and well. Major browsers and Google in general have active bounty programs.

    Interestingly, I found announcing it started providing a marketplace for security research in 2008 by selling the UTM OneShield Security appliance, which integrates a revenue sharing model for those security researchers who contribute their findings. In other words, you provide 'em with 0day signatures, and they share the revenue they get selling appliances that detect and block attacks using the signatures. But it looks stillborn - sites are up, but seem ... abandoned. Also, the vulnerabilities I find are usually in bespoke software, not OSes or packaged COTS software.

    I hoped for but was unable to find any comparisons of or discussions about success or failure with specific bounty programs. Hoping to get that here, but shields up; I've had an account for a while, but this is my first post.
    Last edited by MATTTT; May 3, 2012, 13:25.

  • #2
    Re: Vulnerability reporting - Bounty program experiences, comparisons, reviews?

    Originally posted by MATTTT View Post
    I tried searching here and found that
    has a bad link that some admin with access to the 'Rules' account might want to fix.
    Thanks for the report. That post has beed edited and the search link has been fixed.

    As for the rest, you have done a good job in finding posts as reference, and I wish you luck with getting replies. I don't really have any comment about vulnerability reporting, and where to get the best compensation and move entities to fix their bugs.

    It is a good first post. Let' see if anyone decides to share their thoughts with you.

    Good luck!


    • #3
      Re: Vulnerability reporting - Bounty program experiences, comparisons, reviews?

      Thanks for the positive reply. (It's a lot more encouragement than what I've become used to receiving by reporting one vulnerability after another! )


      • #4
        Re: Vulnerability reporting - Bounty program experiences, comparisons, reviews?

        My experience with vulnerability disclosure has been nothing but bad. One story stands out the most, and it involved the City Council of my hometown. I found that a lazy dev wrote some pretty horrible code that gave me access (after a little poking around) to the file server that the entire city (fire, police, mayor, council) used for sharing information. It also contained the hosts file, city building plans, data from criminal investigations etc. There was a pretty large amount of exploitable fun stuff resting on that file server. I was concerned for the well-being of my community, Immediatly wrote an email to the IT depeartment at the council. No response after 2 weeks. Sent an email to the City Manager, finally a response... TELLING ME TO EMAIL THE IT DEPARTMENT. I did so, once again and got a pretty vague "who are you, what did you do, where are you blah blah blah" response, they didn't even mention the issues I had pointed out... Not to mention that I gave them my location, full name and told them where I went to school in the first email. I responded and attempted to explain the issues that I found, however they never responded back. The next day at work, my employer recieved a phone call from the city asking for all of the information they had about me, and then they informed my employer that they were launching an investigation on me, and that I musn't be informed of the phone call. They then decided that they would arrange a meeting between me, my school, my parents and the City. It was strange to me that my school, that was entirely unrelated to any of the previous events was suddenly brought into the eqation. At the meeting I went into detail about the problems I found and explained why they were serious issues. I was told that I am not a "real" hacker because I didn't use any "hacking tools" to find the vulnerability. That ended the meeting. It's been a little over 6 months now, and the problem hasn't been solved.
        Only dead fish swim with the stream.


        • #5
          Re: Vulnerability reporting - Bounty program experiences, comparisons, reviews?

          Originally posted by RedGeek View Post
          It's been a little over 6 months now, and the problem hasn't been solved.
          Hmm, some ideas:

          Maybe make a video (screencam) demo, and share it with the tech media and/or local news media who agree (before you give 'em details or access) to, say, a 2-week embargo on it. I can't think of a more effective, legit way to put pressure on 'em. You can put it on YouTube and configure it to be private.

          Choose a few reporters you admire / who seem to do good work and contact 'em directly? Minimize verbal discussions; you don't want to be misquoted. Decide what the most important point you want to make is, and ask 'em to agree to cover that issue. E.g. "I'd like your assurance that you will embargo the video 'till ____ and cover these key points: I disclosed the problem to the town on ____ and the system is still vulnerable as of ____. Instead of fixing the problem, they investigated me behind my back. The people I spoke with were Mr X and Ms Y.. My blog is at Exposed data included criminal investigations data, ... You will seek public comment from key offices affected, including police, public defender, district attorney, council." Maybe ask the reporters to cover the idea of a state or local government-sponsored bug bounty program. Well, that's far too many points. Pick what's most important, and ask for a commitment regarding one or two, and just discuss whatever else you feel is important.

          In my experience, media coverage can be very helpful, but is usually useless, inaccurate, or worse, unless carefully managed.

          Good luck!

          P.S. Any thoughts/experiences regarding compensation?


          • #6
            Re: Vulnerability reporting - Bounty program experiences, comparisons, reviews?

            A lot of small companies/organizations with the vulnerabilities aren't going to readily acknowledge those vulnerabilities for the same reason they exist in the first place. They just don't understand.

            So what happens is you get a whitehat who tries to inform them, they get treated as a blackhat "hacker", and if anything bad happens later on then the whitehat is used as a scapegoat.

            Then you have the really large software/service companies who do understand vulnerabilities and have regular patch cycles. The whitehats find the holes, give them a heads up... and they are ignored. Not because they don't understand the issue, but because they don't care or are lazy. They prefer security through obscurity because short term it costs less. Whitehat is as patient as possible, eventually submits a CVE, maybe a proof of concept tool to exploit the hole. Now all of the sudden you have a huge community scrambling to address this, and again the whitehat is publicly ridiculed for releasing this information.

            I don't have personal experience with this - just observation.

            In this industry you can't be altruistic. If you're going to put that much work into this, you need to find a way to benefit from it. Even if it wasn't directly monetary and was just for building up a reputation - you start a blog, you discuss your stuff openly, you give companies some time to address it, then post the actual vuln. If you just quietly disclose what you find then there is no push on their side to fix it, and your name never gets out there. You can't use those companies as references for your next job.