World’s biggest bug bounty payouts by tech companies to ethical hackers and security researchers
Some of the largest companies of the world offers ‘Bug Bounty programs’ to security researchers to find vulnerabilities and suggest innovative security measures to fix these issues.
In the present scenario, most of the companies and organizations entirely rely on internet and web for their businesses. With an increase in the number of malicious hackers throughout the web, these companies have come up with a relatively new program which is known as “Bug Bounty“.
Under the “Bug Bounty program” companies are ready to pay enormous money to security researchers who would not only find flaws but also suggest innovative security measures so that the company would be safe from the cyber attackers who might otherwise discover these flaws and cause significant damage to the organization.
Some few years back, a security researcher pointing out some software bug would have either received a simple ‘thank you’ or in certain cases or a symbolic T-shirt for his/her efforts. However, with time, people are more aware of these hacks and how it can destroy them and hence the companies now prefer a security researcher point out the security flaw and get it rectified through these kinds of programs rather than being hacked by cyber criminals.
In this article we will look at some of the enormous payouts given in the recent years under the Bug bounty program.
In May 2015, United Airlines announced an innovative bug bounty program according to which any security researcher would be rewarded with ‘free air miles’ rather than cash, in case if they find any bugs in the software of United Airlines.
The rewards too were quite amazing. For instance, if a security researcher finds low level flaws such as cross-site request forgery and bugs in third-party software then they would be awarded 50,000 air miles.
Mid level bugs such as personal information leaks, bypassing the authentication process or brute force attacks would be rewarded up to 250,000 miles.
In case, a researcher manages to find RCE bug, then they would get a reward of up to one million miles!
The program did not include the flaws which were found on the aircraft such as those found in the in-flight Wi-Fi or the avionics. Further, there were strict regulations and a researcher was not suppose to disclose these flaws either to any third party or in public.
The first one to receive the bug bounty award was Jordan Wiens, a Florida based vulnerability researcher. He was able to detect the RCE bug in the United Airlines’ web properties and was thus rewarded a million free miles.
The next one was Nathaniel Wakelam, an Australian based security researcher who uncovered a single bug and was awarded half a million United Airlines miles.
A third security researcher, Neal Poole, claims to have won 300,000 United Airlines miles for a bug which has been submitted this month.
However, according to some reports it seems that a million air miles can be used for ‘several’ first class trips from US to Asia. Or the receiver can even use it for say ‘ 20 round trips in the US’.
Facebook, the social networking site, has a history of fluctuations with its bug bounty programs. Facebook introduced its bug bounty program in 2011 with an aim to reward people who would point out the issues to the site thus making it a safer place to hang out online.
However, there is some evidence that Facebook has rejected privileges to one white hat when he was able to post a letter to Mark Zuckerberg’s profile page in 2013. Instead, Facebook seems to have introduced a ‘white card’ debit card program for the bug hunters which seems to also have been ditched a year later.
However, according to Collin Greene, Facebook’s security engineer, the program has already rewarded a total of $1 million to around 329 people in 51 countries who had reported security issues with the site.
Way back in November 2013, Reginaldo Silva a computer engineer from Brazil had found some vulnerabilities in the software of Facebook. The bug was related to a code, which is used for authentication system OpenID; this code lets people to use the same log-in credentials for various other online services. Reginaldo discovered that this was one of the most deadliest types of software flaws as the vulnerability could be executed even from a remote computer. The attacker could gain access to any file and open arbitrary network connections on the Facebook server. As per the bounty program the reward for finding this bug was around $30,000.
The Register, disclosed that finally in January 2014, Reginaldo was given the award of $33,500 for finding this bug.
Microsoft awarded $200,000 prize for New exploit mitigation technology:
In 2012, Microsoft launched the “BlueHat Prize contest” to motivate the security researchers to develop innovative anti-exploitation techniques. It was then that Vasilis Pappas was awarded $200,000 which was the first ever big bounty payout from Redmond software giant.
Vasilis Pappas, was a security pro and a PhD student at Columbia University at that time, discovered an exploit mitigation technology called “kBouncer” which is specifically designed to detect and prevent return-oriented programming (ROP), a popular vulnerability exploitation technique.
It seems Microsoft was searching for contestants who “could design the most effective ways to prevent the use of memory safety vulnerabilities, a key area of focus for Microsoft” and finally were able to whittle down to three people from and ultimately it was Pappas who could bag the huge award.
Bypassing Windows 8.1 mitigations using unsafe COM objects:
Last year, Microsoft awarded a bounty payout in the amount of $100,000 to a security researcher for finding ‘Mitigation bypass’ in Windows 8.
Usually, Microsoft does not favor giving out huge bug bounty rewards; however it entered the bug bounty program in late 2013. The Redmond giant had announced its bug bounty program specifically for Windows 8.1 and Internet Explorer 11.
Till then Microsoft used to pay $11,000 for IE exploits. However, with its bug bounty program Microsoft announced that should a researcher find some “truly novel” exploitation techniques against Windows 8.1 version then it would offer some big reward amount to that bug hunter.
Finally, it was a UK based security researcher, James Forshaw, who managed to bag the $100,000 bounty for successfully “bypassing Windows 8.1 mitigations using unsafe COM objects”. It was a bug which could bypass certain protections in the preview version of Windows 8.1.
Forshaw, could not give the details then, as per the bounty rules, however later he did describe regarding the bug in a Context blog.
In April 2014, Google researcher, Neel Mehta spotted the Heartbleed flaw (CVE-2014-0160).
According to The Telegraph, the bug ‘Heartbleed”can be described as the “most serious security flaws ever found”. The bug affects the open-source encryption software OpenSSL, which is generally used on millions of web servers. According to The Telegraph, this bug could have been used to steal passwords, credit card details and even encryption keys without leaving behind any trace.
The heartbleed bug thus was a defect in the OpenSSL cryptography library which has a wide application in the Transport Layer Security (TSL) protocol. Thus the bug is believed to be able to affect many web servers even today.
Neel Mehta, a member of the Google’s security team accidentally spotted this bug.
Actually, as per Codenomicon, it was Google’s security team who first reported the Heartbleed to OpenSSL; however the bug was discovered individually by Google as well as the Finnish cyber security firm. It seems this bug was introduced by a German engineer when he was poking around the OpenSSL code and the bug was just accidentally introduced
The Daily Dot reported that OpenSSL project later awarded Mehta an amount of $15,000 which he donated to the Freedom of the Press Foundation which is involved in the use of encryption and other security tools to protect journalist communications. Considering the seriousness of the Heartbleed bug, the amount given in reward was actually meager!
Yahoo’s Flickr is one of the biggest photo management and sharing websites.
Last year, security researcher, Ibraham Raafat discovered certain flaws in this popular photo sharing service which could result in SQL injection and remote code execution. Amazingly, Yahoo was quick enough to acknowledge the flaw and also provided the patch.
Actually, the SQL injection bug opens the door for remote code execution.
According to Ibrahim Raafat, by obtaining the MYSQL root password he was able to gain access to the sensitive information that was contained in the Flickr database.
Raafat said that he launched Flickr to see if the vulnerability he reported to Yahoo had been patched; however he discovered two Blind SQL Injection vulnerabilities and a Direct SQL Injection flaw in the Flickr Photo Books feature.
According to SC Magazine, Yahoo not only acknowledged the problems but also patched them within just six hours.
This indicates that there is a bright future to all the security researchers out there and they too can win one of the biggest bounty payouts!!