Bug bounty programs refers to the award that is obtained by finding and reporting vulnerabilities in a product (Hardware, firmware, software). Many software companies and organizations such as Microsoft, Google, Facebook, etc award bug bounty.
Due to the advancement of technology, computing systems comprising both hardware and software have become a vital part of every organization and business. As the use of these systems has increased, so does the significance of guarding these systems for ever-increasing criminal activities. Criminals are always in search of vulnerabilities in the systems to launch a successful attack. These vulnerabilities (bugs), if found and exploited by criminals, can cause theft of user information, damage to system and business resulting in huge business losses. To deal with the increasing security threats, companies hire security experts. However, there is a high chance that the organization’s limited number of security experts might be outnumbered by a large number of criminals from all over the world constantly trying to make their way. Ethical hacker-powered security enables organizations to benefit from the expertise of a large community of security experts. In this way, security vulnerabilities can be found faster and can save companies from huge losses and security breaches.
Hacker-powered security has become a common norm and companies are rewarding huge amounts in this regard. Every year, on average, up to $9000,000 is being awarded as the bug bounty. Hacker-powered security has not limited to technology companies, many governments, military, financial organizations, global retailers and entertainment organizations are opting for hacker-powered security by encouraging financially to ethical hackers for finding vulnerabilities in their products. The growing number of online businesses and services are further increasing opportunities for bug bounty hunters.
Below, a detailed description is provided about how someone can earn a reward by reporting a bug to Microsoft. In the later section, a brief description of bug reporting in four other top organizations is provided.
Table of Content +
Reporting bugs to Microsoft’s Bug Bounty Program:
Microsoft is one of the biggest companies that award bug hunting. Microsoft encourages researchers to play their role by discovering vulnerabilities to make customers more secure. If you have found a vulnerability or intend to look for vulnerability in Microsoft products then, first of all, you need to find the list of Microsoft products that are covered in the bug bounty program.
The following table shows the list of such Microsoft products. Further details can be found on https://www.microsoft.com/en-us/msrc/bounty?rtc=1
For every product, there is a list of in-scope vulnerabilities. Only these vulnerabilities are awarded a financial reward, the out of scope vulnerabilities, a list of which is available on the respective product page does not get any financial awarded. The amount of bounty depends on the criticality of the vulnerability and the quality of the report, details of which can be found on the respective product page. Here, we present how bug bounty is calculated for XBOX vulnerabilities.
Further details about in scope and out of scope vulnerabilities can be found on the given link (https://www.microsoft.com/en-us/msrc/bounty-xbox).
Every valid bug report, either eligible for financial reward or not, is publically acknowledged and reported in Researcher Recognition Program and leader board.
Visit this page for more information.
Bug Report Submission:
- Submission of bug report must be made via email to email@example.com or through MSRC Submission (https://msrc.microsoft.com/create-report), the link of which can be found on the main Microsoft bounty page (https://www.microsoft.com/en-us/msrc/bounty?rtc=1) and the product-specific page as well. The format of that page is shown below.
- After the submission of the bug report, the researcher will receive an email from Microsoft confirming the reception of the bug report.
- The next step is the evaluation of the report by technical report. The technical team reproduces the vulnerability and asses its impact. Evaluation time is not fixed and depends on the number of submitted reports, the complexity of the vulnerability and the quality of the report.
- As the report is validated by the technical team, Microsoft informs the researcher that the report is eligible for the reward.
- For the reception of the payment, a bug reporter needs to register on one of the award payment provider partners of Microsoft; HackerOne (https://hackerone.com/) and Bugcrowd (https://www.bugcrowd.com/). After successful registration, the reporter will immediately get bug bounty. Payment provider partners of Microsoft facilitate fast payment of reward and provide several payment options like Paypal, Payoneer, cryptocurrency and direct bank transfer in 30 countries. Furthermore, these two websites also show credit for received payment on their site. Microsoft shares the information about award amount, case number and case severity with these partners, while bug report is kept confidential. Microsoft corporate payment is available for those who are unable to use HackerOne and Bugcrowd.
What Must be Avoided while bug research and reporting
A very important consideration while testing for vulnerabilities is to avoid harming user data and privacy, and product operation continuity. If some bug causes service disruption or reveals user data, the researcher must immediately stop and report this to Microsoft. Moreover, a researcher must follow coordinated vulnerability disclosure; must not share vulnerability reports until it is fixed by a technical report.
Other bug bounty award programs
Following is a brief description of four other high bounty award programs;
Intel Bug Bounty (https://www.intel.com/content/www/us/en/security-center/bug-bounty-program.html):
Intel is another big company like Microsoft that supports vulnerability research and reporting. Intel bounty program covers hardware, firmware and software vulnerabilities, however, company web structure and third party products are not included. A bug report can be submitted through encrypted email to Intel PSIRT (firstname.lastname@example.org). The email must be encrypted using Intel’s PSIRT PGP public key. Intel provides a bounty award of $500 to a maximum of $10,000 for software bugs, $1000 to $30,000 for firmware bugs and $2000 to $100,000 for reporting hardware bugs. The actual amount of reward depends on the criticality of bug and report quality.
Apple Bug Bounty (https://developer.apple.com/security-bounty/)
Apple has divided bounty payments based on the category of vulnerability with a maximum bounty award of $ 1000,000 for reporting network attacks without user interaction. A detail of award can be found on their website. The bug report is submitted through email to email@example.com. The report should be encrypted using Apples’ product security PGP key.
Facebook Bug Bounty (https://www.facebook.com/whitehat)
Facebook bounty award program covers bug reporting for all of its products which includes Instagram,Internet.org/Free Basics, Oculus, Workplace, Open source projects by Facebook (e.g. osquery), WhatsApp, Portal, FBLite, Express Wi-Fi. A bug report can be submitted through the online form, a link if which is available at (https://www.facebook.com/whitehat). The minimum award limit is $500 and there is no limit on the maximum reward. Moreover, if a researcher wants to donate their reward, Facebook doubles that reward and donate.
Google Bug Bounty (https://www.google.com/about/appsecurity/reward-program/)
The award money provided by Google for reporting bugs in its products ranges from $500 to $20,000. Bounty program covers vulnerabilities in design and implementation that affect confidentiality and integrity. Bug reports for most products can be submitted through Hackerone. For other products, the respective links are given on the page (https://www.google.com/about/appsecurity/reward-program/)
In addition to the above-mentioned programs, there is a large number of programs available on the Hackerone bug bounty website (https://ma.hacker.one/rs/168-NAU-732/images/hacker-powered-security-report-2017.pdf), where researchers can easily find any field and programming framework of their interest and start bounty hunting.