Rafael de Carvalho

A Year In HackerOne’s Bug Bounty Program

A Year In HackerOne’s Bug Bounty Program

 

By Rafael de Carvalho, Ben Willis, and Martzen Haagsma

At HackerOne, we practice what we preach, running our own bug bounty program and publicly disclosing the vulnerabilities surfaced by hackers. And hackers really love to poke holes in the bug bounty experts!

We use our own program to experiment with best practices, trial processes, and hone internal training and development. In this blog, our security and engineering teams dig into what last year’s results means for their approach to security and consider makes an effective program.

 

Hackers Report The Most Vulnerabilities In 2022 To Keep The Platform Secure

We looked at how our program performed from February 2022 to February 2023. 

In 2022, we saw an 89% increase in bounty submissions to our program. While we saw an anticipated dip in submissions over November and December, there was significant increase from January 2023, with a 66% increase in reports. 

Submission

 

In 2022 we also paid out the most in bounty payments for our program to date, with rewards totalling $163,134 across 56 findings, with an average bounty per report of $2,862. June was our most active month, paying out over $61,000 in a single month for 143 reports, 29 of which were critical or high severity. 

Bounty awarded

 

One measure of a mature and attractive bug bounty program is how fast a program responds to a hacker and remediates the vulnerability. We maintain an average of two days to triage a vulnerability and a month to fix it, depending on the severity. We aim to reward the hacker as close to triage as possible and have a current average of nine days until the bounty is paid. 

Response

 

We want to extend special thanks to the top participating hackers on our program:

Haxta4ok00

mikkocarreon

cache-money

whhackersbr

fuzzsqlb0f

 

Acquisitions And Third Party Software Flaws Were The Biggest Driver of Vulnerability Reports

We know that that the introduction of new products and mergers and acquisitions are particular security risks for our customers. At the beginning of 2022, we went through an acquisition ourselves and experienced the security challenges that come with that process. We added PullRequest to our scope, and immediately saw hackers report some high/critical finds, for example, this blind Cross Site Scripting vulnerability in the admin portal (thanks @bugra!) And, on hackerone.com, @ahacker1 reported an a broken access control and information disclosure vulnerability in the newly launched HackerOne Assets product. 

We’re also not immune from the challenge of supply chain security and vulnerabilities found in our third party suppliers. We received a number of submissions that required us to work together with our vendors to fix. 

The most significant third-party report was the recent ImageTragick CVE, reported by @mikkocarreon, #1858574). The Local File Inclusion vulnerability in ImageMagick can be exploited when uploaded images are being resized. By uploading a malicious PNG image, the resizing process will include the local file as content of the resized image in a hexadecimal representation. If exploited, an attacker could access the server and get near full access to reading and changing HackerOne data. Thanks to the bug bounty program we were able to patch the issue within just a few hours of being notified. We’ll also publish a detailed blog on this vulnerability in the coming months! 

A particular challenge with the proliferation of vulnerabilities in third party technology is that, traditionally, we have only paid 20% of the total bounty for a vulnerability in a third party, meaning we’re looking at how best to properly reward hackers and ensure security across two attack surfaces as we continue in 2023. 

 

Engineering Plays A Crucial Role In Our Security

As a HackerOne engineer, you’re expected to secure what you build. Organizations are only going to move the needle on security if developers and engineers have equal responsibility for the security of products and assets. As engineers, we take part in quarterly security training courses to keep informed about the latest threats and how to mitigate. We partner closely with the security team when building products and will include security in the build process especially when working with PII or financial data.

When it comes to adopting learnings from the bug bounty program, following the initial triage, a rotation of engineers receive the report, who then communicate directly with the hacker, identifying the root cause, triaging and escalating, or directly fixing, the vulnerability. Once the engineers have triaged internally, the reports are sent straight to the the team with the most context for immediate validation. Having the relevant engineering teams study the vulnerability and its cause has enabled us to scale our program and increase incentives on high and critical severity vulnerabilities, resulting in the increase we’ve seen this year in high and critical submissions.

Finally, we encourage our own team submit findings to our own program too, although these are ineligible for bounties. For example @rcoleman found a SQL injection in the CVE Discovery Search and @jobert regularly reports vulnerabilities on features that he is working on. 

 

Incentivizing Hackers Is The Top Priority in 2023 

A hardened attack surface means you are in a position to offer higher bounties since you’re not having to pay out for the low-hanging fruit present on a weaker attack surface and can therefore incentivize hackers to find those really critical vulnerabilities. We have been experimenting with creating dynamic bounty payouts based on submissions, so the bounty pot increases the longer it takes for someone to submit a critical vulnerability.

In 2023, we will continue to iterate on our triage process, setting clear expectations about what qualifies as a vulnerability. We see a number of reports close as informative due to a perceived vulnerability being a feature rather than a bug or because it’s something under construction. It’s important for us to be as clear as possible with researchers so everyone understands what qualifies for payment.

Experimentation is key to making our own bounty program more effective and impactful and so that we can pass those learnings onto the customer. As engineering teams increas their focus on using vulnerability data to build more secure products, expect vulnerabilities to be far harder to find!

To find out how to report a bug to HackerOne, check out our program page: https://hackerone.com/security?type=team 

 

Top Tips For Engineers To Contribute To A Best-In-Class Bug Bounty

  • Define a clear program - A well written policy and well laid out scope helps hackers know where and how to operate. This gives hackers the confidence to know the program works for them.

  • Lower the barrier to entry - If hackers have to spend money, or need to have privileges to reach certain corners of your application, they will have a harder time testing your product. HackerOne, for example, provides “sandbox” programs to test different scenarios without real-world implications. Customer programs can leverage our credentials feature to programatically provide hackers access to their applications.

  • Reward competitively - Bounty tables have a big influence on hacker engagement. Over time, your program gets hardened and hackers need to invest more in order to find vulnerabilities. Periodically raising your bounty table communicates that your program is not stale. HackerOne is experimenting with a concept called “smart rewards”: we continuously increase a bonus bounty pool until a vulnerability is found and, once found, reset the “bonus” back to zero for another cycle.

  • Build a relationship with your hacker community - Be responsive. Positive and regular communication results in faster and better triaging and fewer frustrations, improving hacker retention. 

  • Squash those bugs - With our program, we have found that it’s important to have a robust process to triage and hand over reports to the correct team. Be sure to also request a retest to ensure the vulnerability has been resolved and to check for any unwanted side-effects.

Visit our documentation page for more information about running a best-in-class program

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report