A couple of days ago, I was chatting with @osxreverser on IRC, he was telling me how he was messing around with the newly released broadpwn vulnerability and I got curious.
I setup a VM with kali, connected my alfa networks card to it and got playing with a PoC that used hostapd .
While not being sucessful with the iPhone exploitation, I decided to turn my sights to other devices, I tried my echo dot, my TVs, and then I hit my Nintendo Switch and this happened:
A day passes and I get the following reply
Now, at this point we get new information:
- Nintendo says the vulnerability has been made public (whatever this means, was it because I tweeted or because details or broadpwn had been made public?) and I’m not getting paid for this because they already knew about the vulnerability.
This made me send out the following tweet:
Which sparkled some interesting conversations.
Now let’s get something straight, I’m OK with not getting paid for bounties. What I’m not OK with are the double standards.
If we as researchers are hold accountable to a bunch of standards often set in bug bounties:
- Don’t reveal before X days
- Don’t make details public
- We decide what to pay out
- You need to present a proper report
I’m a true believer that the same level of standard and evidence should be appointed to the vendors and the platforms running these bug bounties.
Right now this is how it works:
1 . You have the vendor who pays the bug bounties platform to setup their bug bounty.
2 . Bug bounty platform sets things up, and invites a troupe of hackers to test said bounty.
3 . Hackers/Researchers spend their time on this and when they find something, write a report on said platform.
4 . Platform now has written evidence that participant found something
5. Some platforms do a preview before it gets to vendor
6. Vendor either accepts or rejects the report.
Now reading this, lets look at the level of transparency, and benefits for each party:
1 — The vendor — Gets their products tested, is essentially a blackbox, and if they don’t feel like paying out, they simply can say “we’ve found it before” and close bounty OR they can just go yeah sure here is 100$ (this last one, some platforms already don’t allow which is a small step in good direction). They don’t need to show evidence, they don’t need to register anywhere public or accessible to participants in the bounty the things they’ve found so in reality if they want to scam reseachers they just can.
2 — The bug bounty platform vendor — They’ve already been paid to setup the programme, their objective is to keep the client happy and to a certain level (much lower than the client because there are way too many researchers for them to really care about individually). Their communication with the vendor is a blackbox, and communication with researcher is fully open (via the bounty or platform).
3 — The researchers — Do the work, maybe get paid.
The reality of how this works should be:
1 — Is bug in scope? Yes.
2 — Is bug on the public list of things that have been found ? No.
Vendor, pay up.
Or if vendor goes “I’ve found this before”, they must also present evidence in form of correct date bug tracking, or something that is reliable with a proof of date that cannot be faked.
(For the amount of bullshit startups I see everyday being published with blockchain, this could actually be a legitimate usecase and business for that technology, but it would require a complete overhaul of how bug bounties work.)
And on top of this, the bug bounty platforms should act as escrows, keeping everyone in line, vendors from not messing around with the researchers, and the researchers from going against some of the rules.
Another alternative and there is already one platform that I’m aware is doing this (in BETA atm), is moving into a “crowd sourced” pentest system, where for example out of the pool of people on the bug bounty system 5 get picked and paid a fixed amount, and then whatever they find they get an extra amount.
Now, to finish this the excuses and accusations I’ve heard today:
1 — You’re pissed because you’re not getting paid — Nope. I’m fortunate enough that what I get paid for running my own business is enough to pay my bills and save some money, my bug bounty money would have gone through investing in some STEM students in Portugal (my home country) to which I pay their university fees. I’m pissed because I hate being scammed and watching others being scammed which is what happens with the current system.
2 — You notified them of something they knew! — Really? Thats absolutely fine. Show me evidence. There was no patch or advisory published.
3 —
I fit these 3 into the same category. my issues are not about a vulnerability or a specific type of vulnerability. That actually is fixed by SCOPE. The problem I have is that I can report an RCE, a SQLi, a XSS, a WHATEVER THE NEW COOL ACRONYM IN SECURITY there is and they can just go “Knew it! KKTHANKSBYE”
Right now we rely on two parties that have no incentive to be transparent or truthful with the participants. Not at 100% at least, they can just choose to pay the random low level bounty to keep some people happy.
This is a system that just doesn’t work. In a few years, you will be left with people that have 0 experience in infosec and that are willing to be milked away for a few bucks, and people with experience just won’t do bug bounties. And by the time this happens, both bug bounty platform and vendors will be losing as well.
Oh and by the way, you won’t just lose on quality. Hackers and researchers will keep on poking your stuff, the only difference is that when they find something juicy, instead of going to a “maybe ill get some pay” situation, they will go to the blackmarket and be guaranteed at least a minimum amount.
#fixbugbounties