With all the apps and systems that are used, created and updated every day it is often impossible for you to be absolutely certain about their security. This resulted in the creation of external help through schemes like bug bounties unless your Uber who change the scope of what bug bounties they’ll be paying.
Bug bounty schemes are simple. If you find a problem in the code or system that a company uses, you report it to the company running the scheme and if they find it was a problem, you get paid. Even Microsoft and GitHub run schemes to help narrow down and find problems with their software. The issue comes here is that only this week popular taxi alternative app Uber launched its own bug bounty scheme.
Sean Melia found a few issues or rather a few admin panels/ports that were open. This fell in line with what Uber wanted under the grouping of “publicly accessible login panels” and “exposed administration ports (excluding OneLogin)”. After reporting the first issue which was quickly accepted as a bug, Melia went about finding others resulting in the large group he ended up reporting. The problem was that by this time Uber had updated their documentation to make these reports invalid, without informing people using the scheme. Free security support anyone?
The reason for the change? Ubers security engineering manager, Collin Greene, has stated they changed the rules so that they stopped researchers wasting their time on minor bugs. Greene then stated that “a successful bug bounty rests on researchers trusting us to run it well, which we take very seriously”, something that may not go down so well when you are willing to change the goalposts without telling people.
Was Uber right in this case? Should they have acted differently? A problems a problem, even with a lesser payment, should Melia have received something given that he did the work under the old rules?
Many companies seek to outsource the finding of vulnerabilities in their products to external hackers, offering monetary rewards in exchange for details on successful hacks that they can fix. In a show that should both display their faith in the security of the Chromebook as well as entice more hackers and security experts to probe the laptops for vulnerabilities, Google has doubled the previous bounty offered for a Chromebook hack to $100,000.
This new and larger reward has a high bar set for anyone wishing to challenge the Chromebook’s security. In order to qualify for the full $100,000 bounty, a hack must be demonstrated that is delivered through a web page accessed in guest mode and have the compromise persist in guest mode, even between boots of the device. The reason this hack is challenging is that while in guest mode, a Chromebook is employing its highest levels of security. A guest user can download files, but is forbidden from installing apps, even those officially released from Google’s store, which circumvents one of the major angles of attack that are used by hackers. Chromebooks are also set to automatically install updates, runs all of its software in sandboxed environments and even has a “verified boot” function, which can detect if the OS is compromised by malware on boot and roll it back to a clean version.
“Since we introduced the $50,000 reward, we haven’t had a successful submission,” Google wrote on their security blog. “That said, great research deserves great awards, so we’re putting up a standing six-figure sum, available all year round with no quotas and no maximum reward pool.” Whether that means that no-one can hack the Chromebook or simply not enough people have tried remains to be seen, but we will have to see whether anyone will be able to claim this bounty in the near future
GitHub has launched its GitHub Bug Bounty, a program aimed to help security researchers in finding bugs and flaws in system. The company is reportedly willing to pay between $100 and $5,000 for each security vulnerability discovered and responsibly disclosed by hackers.
Only the GitHub API, GitHub Gist, and GitHub.com. GitHub are available for the above mentioned program, but the company says its other Web properties and applications are not part of the program though vulnerabilities found “may receive a cash reward at our discretion.”, as they pointed out.
The amount of money given for bugs and flaws is said to be “based on actual risk and potential impact to our users.” Meaning, the bigger the potential scope and the bigger the severity of the issue, the larger the payout.
“If you find a reflected XSS that is only possible in Opera, which is 60% of our traffic, will earn a much larger reward.” GitHub gave as an example.
Even spotting a very low-level bug is worth disclosing for the extra cash. Not only are you getting paid for your hard work, but you’re making the Web safer in the long-run. Bug bounty programs are becoming more and more popular because they work. The damages caused by exploited bugs are much greater than simply paying security researchers for finding them first.
Thank you TheNextWeb for providing us with this information Image courtesy of GitHub