Hello everyone and welcome to ZD Tech, ZDNet’s daily editorial podcast. My name is Louis Adam and today I will explain to you how bug bounty programs can sometimes go wrong.
We have already talked about bug bounty. These programs allow security researchers to report computer vulnerabilities to companies for rewards, which can sometimes amount to significant sums. On paper, it’s a great idea: it allows companies to fix vulnerabilities, and independent researchers to get paid. Unfortunately, things don’t always go as planned.
The issue of scope
First of all, there are the thorny questions related to what is called “the scope”, that is to say the field of application of the bug bounty program. When a company decides to launch a bug bounty, it often tries to frame things. It announces that bonuses are only paid for some of its applications or services, or that certain types of faults do not give rise to remuneration. And the interpretation of this framework can sometimes lead to disappointments.
This is the mishap that a security researcher encountered in 2019, after reporting flaws in the Steam application, published by the company Valve. The researcher had detected a flaw allowing an elevation of privilege through Steam. He therefore tried to report this flaw through Valve’s bug bounty program, managed at the time by the American company leader in the sector, HackerOne. Simply, Valve had not planned to pay for this type of vulnerability.
Without having succeeded in convincing the company of the seriousness of the fault, the researcher therefore chose to reveal it in public, without it being corrected upstream by the company. In response, Valve banned the researcher, causing a minor scandal in the computer security community. And Valve finally made amends: by reintegrating the researcher into its program, by correcting the flaws discovered and by modifying the scope of its bug bounty.
Cyber Attack Concealment
But it could have been worse. Sometimes bug bounties are used to hide real attacks. This is more or less what the former head of security at Uber tried to do in 2016.
At the time, two cybercriminals managed to access the data of 57 million drivers and passengers using the application. Bad news for the group’s brand new security director. But this one has an idea. He contacts the cybercriminals and offers to buy their silence for a bounty of $100,000 in bitcoins. A hijacking of the company’s bug bounty programs, which cost him his job and serious legal trouble.
But the method has been emulated: among the many decentralized finance services that have been hacked in recent months, some do not hesitate to offer a reward to the attacker if he agrees to return the stolen funds. We saw it at Akropolis, but also at Wormhole, or at QuBit Finance.