请输入您要查询的百科知识:

 

词条 Bug bounty program
释义

  1. History

  2. Vulnerability Disclosure Policy Violations

  3. Notable programs

  4. See also

  5. References

  6. External links

A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation [1] for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse. Bug bounty programs have been implemented by a large numbers of organizations, including Mozilla,[2] Facebook,[3] Yahoo!,[4] Google,[5] Reddit,[6] Square,[7] and Microsoft.[8][10] Companies outside the technology industry, including traditionally conservative organizations like the United States Department of Defense, have started using bug bounty programs. [9] The Pentagon’s use of bug bounty programs is part of a posture shift that has seen several US Government Agencies reverse course from threatening white hat hackers with legal recourse to inviting them to participate as part of a comprehensive vulnerability disclosure framework or policy. [10] In a more general sense, the term has been applied to open problems in mathematics and computer science research, which also offer significant sums for their solutions.

History

Hunter & Ready initiated the first known bug bounty program in 1983 for their Versatile Real-Time Executive operating system. Anyone who found and reported a bug would receive a Volkswagen Beetle (aka Bug) in return. [11] A little over a decade later in 1995, Jarrett Ridlinghafer, a technical support engineer at Netscape Communications Corporation coined the phrase 'Bugs Bounty'.

Netscape encouraged its employees to push themselves and do whatever it takes to get the job done. Ridlinghafer recognized that Netscape had many enthusiasts and evangelists for their products, some of whom to him seemed even fanatical, particularly for the Mosaic/Netscape/Mozilla browser. He started to investigate the phenomenon in more detail and discovered that many of Netscape's enthusiasts were actually software engineers who were fixing the product's bugs on their own and publishing the fixes or workarounds:

  • in the news forums that had been set up by Netscape's technical support department to enable "self-help through collaboration" (another one of Ridlinghafer's ideas during his four-year stint at Netscape); or
  • on the unofficial "Netscape U-FAQ" website, where every known bug and feature of the browser was listed, as well as instructions regarding workarounds and fixes.

Ridlinghafer thought the company should leverage these resources and sat down and wrote out a proposal for the 'Netscape Bugs Bounty Program', which he presented to his manager who in turn suggested that Ridlinghafer present it at the next company executive team meeting.

At the next executive team meeting, which was attended by James Barksdale, Marc Andreessen and the VPs of every department including product engineering, each member was given a copy of the 'Netscape Bugs Bounty Program' proposal and Ridlinghafer was invited to present his idea to the Netscape Executive Team.

Everyone at the meeting embraced the idea except the VP of Engineering, who did not want it to go forward believing it to be a waste of time and resources. However, the VP of Engineering was overruled and Ridlinghafer was given an initial $50k budget to run with the proposal and the first official 'Bugs Bounty' program was launched in 1995.[12][13][14]

The program was such a huge success it's mentioned in many of the books detailing Netscape's successes.

Vulnerability Disclosure Policy Violations

In August 2013, a Computer Science student named Khalil used an exploit to post a letter on the Facebook timeline of site founder Mark Zuckerberg. According to the hacker, he had tried to report the vulnerability using Facebook's bug bounty program, but because of the vague and incomplete report the response team told him that his vulnerability was not actually a bug.[15]

Facebook started paying researchers who find and report security bugs by issuing them custom branded “White Hat” debit cards that can be reloaded with funds each time the researchers discover new flaws. “Researchers who find bugs and security improvements are rare, and we value them and have to find ways to reward them,” Ryan McGeehan, former manager of Facebook’s security response team, told CNET in an interview. “Having this exclusive black card is another way to recognize them. They can show up at a conference and show this card and say ‘I did special work for Facebook.’”[16] In 2014, Facebook stopped issuing debit cards to researchers.

In 2016, Uber experienced a security incident when an individual accessed the personal information of 57 million Uber users worldwide. The individual supposedly demanded a ransom of $100,000 in order to destroy the users’ data. In Congressional testimony, Uber CISO indicated that the company verified that the data had been destroyed before paying the $100,000. [17] Mr. Flynn expressed regret that Uber did not disclose the incident in 2016. As part of their response to this incident, Uber worked with partner HackerOne to update their bug bounty program policies to, among other things, more thoroughly explain good faith vulnerability research and disclosure. [18]

India, which has either the first or second largest number of bug hunters in the world, depending on which report one cites, [19] also tops the Facebook Bug Bounty Program with the largest number of valid bugs. [20] “India came out on top with the number of valid submissions in 2017, with the United States and Trinidad & Tobago in second and third place, respectively”, Facebook quoted in a post. [21]Yahoo! was severely criticized for sending out Yahoo! T-shirts as reward to the Security Researchers for finding and reporting security vulnerabilities in Yahoo!, sparking what came to be called T-shirt-gate.[22] High-Tech Bridge, a Geneva, Switzerland-based security testing company issued a press release saying Yahoo! offered $12.50 in credit per vulnerability, which could be used toward Yahoo-branded items such as T-shirts, cups and pens from its store. Ramses Martinez, director of Yahoo's security team claimed later in a blog post[23] that he was behind the voucher reward program, and that he basically had been paying for them out of his own pocket. Eventually, Yahoo! launched its new bug bounty program on October 31 of the same year, that allows security researchers to submit bugs and receive rewards between $250 and $15,000, depending on the severity of the bug discovered.[24]

Notable programs

In October 2013, Google announced a major change to its Vulnerability Reward Program. Previously, it had been a bug bounty program covering many Google products. With the shift, however, the program was broadened to include a selection of high-risk free software applications and libraries, primarily those designed for networking or for low-level operating system functionality. Submissions that Google found adherent to the guidelines would be eligible for rewards ranging from $500 to $3133.70.[25][26] In 2017, Google expanded their program to cover vulnerabilities found in applications developed by third parties and made available through the Google Play Store.[27]

Similarly, Microsoft and Facebook partnered in November 2013 to sponsor The Internet Bug Bounty, a program to offer rewards for reporting hacks and exploits for a broad range of Internet-related software.[28] In 2017, GitHub and The Ford Foundation sponsored the initiative, which is managed by volunteers from Uber, Microsoft, Facebook, Adobe, and HackerOne. [29] The software covered by the IBB includes Adobe Flash, Python, Ruby, PHP, Django, Ruby on Rails, Perl, OpenSSL, Nginx, Apache HTTP Server, and Phabricator. In addition, the program offered rewards for broader exploits affecting widely used operating systems and web browsers, as well as the Internet as a whole.[30]

In March 2016, Peter Cook announced the US federal government's first bug bounty program, the "Hack the Pentagon" program.[31] The program ran from April 18 to May 12 and over 1400 people submitted 138 unique valid reports through HackerOne. In total, the US Department of Defense paid out $71,200.[32] In June, the Secretary of Defense, Ash Carter, met with two participants, David Dworken and Craig Arendt, to honor them for their participation in the program.[33]

Open Bug Bounty is a crowd security bug bounty program established in 2014 that allows individuals to post website security vulnerabilities in the hope of a reward from affected website operators.

See also

  • Bounty hunter
  • Cyber-arms industry
  • Knuth reward check (Program of 1980s)
  • List of unsolved problems in computer science
  • List of unsolved problems in mathematics
  • Market for zero-day exploits
  • White hat (computer security)
  • Zerodium

References

1. ^{{cite web|url=https://ma.hacker.one/rs/168-NAU-732/images/hacker-powered-security-report-2017.pdf|title=The Hacker-Powered Security Report - Who are Hackers and Why Do They Hack p. 23|date=2017|publisher=HackerOne|accessdate=5 June 2018}}
2. ^{{Cite web|url=https://www.mozilla.org/en-US/security/bug-bounty/|title=Mozilla Security Bug Bounty Program|website=Mozilla|language=en-US|access-date=2017-07-09}}
3. ^{{cite web|url=https://facebook.com/whitehat|title=Facebook WhiteHat|author=Facebook Security|date=26 April 2014|publisher=Facebook|accessdate=11 March 2014}}
4. ^{{cite web|url=https://hackerone.com/yahoo|title=Yahoo! Bug Bounty Program|publisher=HackerOne|accessdate=11 March 2014}}
5. ^{{cite web|url=https://www.google.com/about/appsecurity/reward-program/|title=Vulnerability Assessment Reward Program|publisher=Google|accessdate=11 March 2014}}
6. ^{{cite web|url=https://www.reddit.com/wiki/whitehat|title=Reddit - whitehat|publisher=Reddit|accessdate=30 May 2015}}
7. ^{{cite web|url=https://hackerone.com/square|title=Square bug bounty program|publisher=Hackrone|accessdate=6 Aug 2014}}
8. ^{{Cite web|url=http://microsoft.com/bountyprograms|title=Microsoft Bounty Programs|last=|first=|date=|website=Microsoft Bounty Programs|publisher=Security TechCenter|access-date=2016-09-02}}
9. ^{{cite web|url=https://www.wired.com/story/hack-the-pentagon-bug-bounty-results/|title=The Pentagon Opened up to Hackers - And Fixed Thousands of Bugs|date=10 November 2017|publisher=Wired|accessdate=25 May 2018}}
10. ^{{cite web|url=https://www.justice.gov/criminal-ccips/page/file/983996/download/|title=A Framework for a Vulnerability Disclosure Program for Online Systems|date=July 2017|publisher=Cybersecurity Unit, Computer Crime & Intellectual Property Section Criminal Division U.S. Department of Justice|accessdate=25 May 2018}}
11. ^{{cite web|url=https://twitter.com/cybersecuritysf/status/883829319604293632|title=The first “bug” bounty program|date=8 July 2017|publisher=Twitter|accessdate=5 June 2018}}
12. ^{{cite web |url=//www101.netscape.com/newsref/pr/newsrelease48.html |title=Netscape announces Netscape Bugs Bounty with release of netscape navigator 2.0 |publisher=Internet Archive |accessdate=21 Jan 2015 |deadurl=yes |archiveurl=https://web.archive.org/web/19970501041756/http://www101.netscape.com/newsref/pr/newsrelease48.html |archivedate=May 1, 1997 |df= }}
13. ^{{Cite web|url=https://cobalt.io/blog/the-history-of-bug-bounty-programs|title=Cobalt Application Security Platform|website=Cobalt|access-date=2016-07-30}}
14. ^{{Cite web|url=https://www.forbes.com/sites/centurylink/2015/04/30/why-companies-like-pinterest-run-bug-bounty-programs-through-the-cloud/#284751034867|title=CenturyLinkVoice: Why Companies Like Pinterest Run Bug Bounty Programs Through The Cloud|last=CenturyLink|access-date=2016-07-30}}
15. ^{{cite web|url=http://rt.com/news/facebook-post-exploit-hacker-zuckerberg-621/|title=Hacker posts Facebook bug report on Zuckerberg’s wall|date=18 August 2013|publisher=RT|accessdate=11 March 2014}}
16. ^{{cite web|last=Whitehat|first=Facebook|title=Facebook whitehat Debit card|url=http://www.cnet.com/news/facebook-hands-out-white-hat-debit-cards-to-hackers/|publisher=CNET}}
17. ^{{cite web|url=https://www.commerce.senate.gov/public/_cache/files/7d70e53e-73e9-4336-a100-67b233084f12/75728554E990488D71625DFA69B05494.uber---john-flynn---testimony.pdf|title=Testimony of John Flynn, Chief Information Security Officer, Uber Technologies, Inc.|date=6 February 2018|publisher=United States Senate|accessdate=4 June 2018}}
18. ^{{cite web|url=https://threatpost.com/uber-tightens-bug-bounty-extortion-policies/131512/|title=Uber Tightens Bug Bounty Extortion Policy|date=27 April 2018|publisher=Threat Post|accessdate=4 June 2018}}
19. ^{{cite web|url=https://factordaily.com/india-bug-bounty-superpower/|title=Bug hunters aplenty but respect scarce for white hat hackers in India|date=8 February 2018|publisher=Factor Daily|accessdate=4 June 2018}}
20. ^{{cite web|url=https://www.facebook.com/notes/facebook-bug-bounty/2017-highlights-880000-paid-to-researchers/1918340204846863/|title=Facebook Bug Bounty 2017 Highlights: $880,000 Paid to Researchers|date=11 January 2018|publisher=Facebook|accessdate=4 June 2018}}
21. ^{{cite web|url=https://www.facebook.com/notes/facebook-bug-bounty/2017-highlights-880000-paid-to-researchers/1918340204846863/|title=Facebook Bug Bounty 2017 Highlights: $880,000 Paid to Researchers|date=11 January 2018|publisher=Facebook|accessdate=4 June 2018}}
22. ^{{cite web|last=T-shirt Gate|first=Yahoo!|title=Yahoo! T-shirt gate|url=http://www.zdnet.com/yahoo-changes-bug-bounty-policy-following-t-shirt-gate-7000021508|publisher=ZDNet}}
23. ^{{cite web|last=Bug Bounty|first=Yahoo!|title=So I’m the guy who sent the t-shirt out as a thank you.|url=http://yahoodevelopers.tumblr.com/post/62953984019/so-im-the-guy-who-sent-the-t-shirt-out-as-a-thank-you|publisher=Ramses Martinez|accessdate=2 October 2013}}
24. ^{{cite web|last=BugBounty Program|first=Yahoo!|title=Yahoo! launched its Bug Bounty Program|url=http://yahoodevelopers.tumblr.com/post/65622522325/the-bug-bounty-program-is-now-live|publisher=Ramses Martinez|accessdate=31 October 2013}}
25. ^{{cite web|url=https://arstechnica.com/security/2013/10/google-offers-leet-cash-prizes-for-updates-to-linux-and-other-os-software/|title=Google offers "leet" cash prizes for updates to Linux and other OS software|last=Goodin|first=Dan|date=9 October 2013|publisher=Ars Technica|accessdate=11 March 2014}}
26. ^{{cite web|url=http://googleonlinesecurity.blogspot.com/2013/10/going-beyond-vulnerability-rewards.html|title=Going beyond vulnerability rewards|last=Zalewski|first=Michal|date=9 October 2013|publisher=Google Online Security Blog|accessdate=11 March 2014}}
27. ^{{cite web|url=https://www.theverge.com/2017/10/22/16516670/google-play-security-rewards-program-vulnerabilities-bug-bounty/|title=Google launched a new bug bounty program to root out vulnerabilities in third-party apps on Google Play|date=22 October 2017|publisher=The Verge|accessdate=4 June 2018}}
28. ^{{cite web|url=https://arstechnica.com/security/2013/11/now-theres-a-bug-bounty-program-for-the-whole-internet/|title=Now there’s a bug bounty program for the whole Internet|last=Goodin|first=Dan|date=6 November 2013|publisher=Ars Technica|accessdate=11 March 2014}}
29. ^{{cite web|url=https://venturebeat.com/2017/07/21/facebook-github-and-the-ford-foundation-donate-300000-to-bug-bounty-program-for-internet-infrastructure/|title=Facebook, GitHub, and the Ford Foundation donate $300,000 to bug bounty program for internet infrastructure|date=21 July 2017|publisher= VentureBeat|accessdate=4 June 2018}}
30. ^{{cite web|url=https://hackerone.com/ibb|title=The Internet Bug Bounty|publisher=HackerOne|accessdate=11 March 2014}}
31. ^{{Cite web|url=http://www.defense.gov/News-Article-View/Article/684616/dod-invites-vetted-specialists-to-hack-the-pentagon|title=DoD Invites Vetted Specialists to ‘Hack’ the Pentagon|website=U.S. DEPARTMENT OF DEFENSE|access-date=2016-06-21}}
32. ^{{Cite web|url=https://hackerone.com/hackthepentagon|title=Vulnerability disclosure for Hack the Pentagon|website=HackerOne|access-date=2016-06-21}}
33. ^{{Cite web|url=http://www.stripes.com/news/18-year-old-hacker-honored-at-pentagon-1.415197|title=18-year-old hacker honored at Pentagon|website=Stars and Stripes|access-date=2016-06-22}}
34. ^{{cite web |first=Steven |last=Zimmerman |url=https://www.xda-developers.com/microsoft-windows-bug-bounty/ |title=Microsoft Announces Windows Bug Bounty Program and Extension of Hyper-V Bounty Program |publisher=XDA Developers |date=2017-07-26 |access-date=2017-08-03}}
[34]
}}

External links

  • [https://www.vulnerability-lab.com/list-of-bug-bounty-programs.php Independent International List of Bug Bounty & Disclosure Programs]
  • [https://bugcrowd.com/list-of-bug-bounty-programs Crowd Bug Bounty List]
  • [https://hackerone.com/ibb The Internet Bug Bounty List]
  • [https://bugbounty.att.com/ AT&T Bug Bounty Program]
  • [https://www.paypal.com/us/webapps/mpp/security-tools/reporting-security-issues PayPal Inc Bug Bounty Program]
  • [https://www.facebook.com/whitehat Facebook Whitehat Bug Bounty Program]
  • [https://www.united.com/web/en-US/content/Contact/bugbounty.aspx United Airlines Bug Bounty Program]
  • [https://www.google.com/about/appsecurity/reward-program/ Google Vulnerability Reward Program]
  • [https://www.zerodium.com Zerodium Premium Vulnerability Acquisition Program]
  • [https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3#.8avn544sm The History of Bug Bounty Programs]

5 : Internet security|Computer security|Cyberwarfare|Competitions|Computer security exploits
随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/11/10 12:57:44