From finding flaws to suggesting innovative security measures for the future, we look at some of the biggest bug bounty payouts in recent years.
So-called ‘bug bounties’ are offered by some of the world’s largest websites and software companies to ensure that software bugs are found and fixed by friendly security researchers, rather than by malicious hackers who could use the same flaws to cause significant damage.
Bug bounties are a relatively new phenomenon but, in recent years, have become a significant security measure for modern businesses, especially if that business is heavily reliant on the web.
In days gone by, security researchers reporting such flaws would likely have received a simple ‘thank you’ or perhaps even faced accusations of hacking themselves, such was the lack of understanding around these ‘white hat’ or ethical hackers.
But times have changed and there are now a variety of programs paying out large sums of money to researchers. From finding flaws and snitching on cybercriminals to suggesting innovative security measures for the future, we look at some of the biggest payouts in recent years.
United Airlines caused a stir in May when it announced a bug bounty program that would reward security researchers for finding bugs with free air miles rather than cash.
United’s rewards range from 50,000 air miles for low-level flaws, like cross-site request forgery and bugs in third-party software, to 250,000 miles for mid-level bugs, like personal information leaks, brute force attacks and authentication bypasses. Should a researcher find a RCE bug, they could be awarded up to one million miles.
Flaws found onboard the aircraft, like in the avionics and the in-flight Wi-Fi, are not eligible for the program. It also prohibits researchers disclosing bugs publicly or to any third parties.
Florida-based vulnerability researcher Jordan Wiens was one of the first to be awarded a bug bounty by United Airlines, receiving a million free air miles for finding a RCE bug in United’s web properties.
Australia-based bug hunter Nathaniel Wakelam also recently secured half a million United Airlines miles for a single bug he found on 16 May. A third bug hunter, Neal Poole, says he bagged 300,000 miles for a bug submitted this month.
Some reports suggest that one million air miles is enough for “several” first-class trips to Asia from the US, or for “up to 20 round-trips in the US”.
Facebook’s history with bug bounty programs is chequered – the social network famously refused one white hat any privileges after he managed to post a letter to Mark Zuckerberg’s profile page in 2013 but went on to introduce a ‘white card’ debit card program for researchers, before ditching it a year later. Nonetheless, the firm did pay out over $1 million to researchers in 2014.
In November 2013, Brazil computer engineer Reginaldo Silva found one of the worst vulnerabilities in Facebook’s software, netting a bug bounty of over $30,000. The bug related to code used for the authentication system OpenID, which lets people use the same log-in credentials for various online services.
Mr Silva found that the vulnerability could be executed from a remote computer, one of the most dangerous types of software flaws. It could have allowed a hacker to read almost any file and open arbitrary network connections on a Facebook server.
A Facebook spokesman later revealed to The Register that the final reward was $33,500.
Microsoft awarded its first-ever $100,000 bounty to a security researcher who discovered a bug in Windows 8, late last year.
The Redmond giant has traditionally avoided handing out big rewards but the company announced its first bug bounties in late 2013, specifically designed for Windows 8.1 and Internet Explorer 11.
Microsoft was paying up to a generous $11,000 for IE exploits, but was offering even bigger money to researchers, should they come across “truly novel” exploitation techniques against the emerging Windows 8.1.
James Forshaw, a security researcher at UK-based Context Information Security, picked up the full $100,000 bounty for detailing a bug that worked around some protections in the preview version of Windows 8.1.
Mr Forshaw wasn’t able to go into details on the approach at the time because of Microsoft bounty rules, but later was able to go into greater depth on a Context blog.
That wasn’t the first time Microsoft had paid out big to a security pro – the previous year, the Redmond software giant had paid Vasilis Pappas $200,000 for an innovative new security prototype designed to prevent the exploitation of memory safety vulnerabilities in Windows applications.
Mr Pappas, a PhD student at Columbia University at the time, had developed kBouncer, an “efficient and fully transparent ROP mitigation technique”, which he presented at Microsoft’s 2012 Blue Hat Prize event.
Microsoft said at the time it was seeking contestants who “could design the most effective ways to prevent the use of memory safety vulnerabilities, a key area of focus for Microsoft”. After whittling down the contestants to just three people, Mr Pappas eventually took home the big prize.
The well-publicized Heartbleed flaw (CVE-2014-0160) came to light in April 2014. It was specifically a defect in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It affected hundreds of thousands of web servers, and it’s believed many are still vulnerable today.
Fortunately, it was accidently spotted by Neel Mehta, a member of Google security’s team. Codenomicon reported that Google’s security team reported Heartbleed to OpenSSL first, but both Google and the Finnish cybersecurity firm discovered it independently. The flaw was accidently introduced by a German engineer when poking around the OpenSSL code.
The OpenSSL Project awarded Mehta $15,000 – a relatively paltry figure considering the seriousness of the Heartbleed flaw. The Daily Dot later reported that the Google researcher generously donated his reward to the Freedom of the Press Foundation, which supports the use of encryption and other security tools to protect journalist communications.
The Yahoo-owned Flickr is one of the biggest photo management and sharing websites in the world, but its reputation took a dent when it was hit by a critical web application vulnerability last year, which left the website’s database open for hackers.
Security researcher Ibraham Raafat claimed to have found SQL injection vulnerabilities on Flickr Photo Books, a new feature for printing custom photo books using the service. He found two parameters (page id, item) that are vulnerable to a blind SQL injection vulnerability and Direct SQL Injection flaw, opening up for Remote Code execution.
A successful SQL injection could lead to attacker stealing database and MYSQL administrator password, Mr Raafat said, adding he was able to gain access to sensitive information within the Flickr database.
Yahoo acknowledged the problems and patched them within six hours, SC Magazine reported last year.