Some background on Switzerland’s biggest Bug Bounty program
This is a contributed guest post by Florian Badertscher from Swisscom’s bug bounty program. We are publishing it here on the Cyber Storm blog because it brings information valuable to companies planning a bug bounty program of their own.
“Embracing the Hackers”
The motto for this year’s edition of the Swiss Cyber Storm conference – “Embracing the Hackers” – was a perfect opportunity for us (the team running Swisscom’s Bug Bounty program) to invite our top bounty hunters to Switzerland, watch the great talks at the conference together, and, of course, have some fun. We also took the opportunity to get to know each other better.
How to become a successful bug bounty hunter
Our invited Bounty Hunters show the various paths into bounty hunting. We had the pleasure of enjoying the day together with:
- Patrik Fábián: from Hungary, 18 years old, student
- Daniel Le Gall: originally from France, living in Switzerland, until recently a professional pentester
- Edgar Boda-Majer: originally from Germany, living in Switzerland, until recently a professional pentester as well
- Raphaël Arrouas; originally from France, living in Switzerland, until recently a professional pentester (is there a pattern here?)
As it turned out, formal education isn’t that important in becoming a good hacker and one can be either a MSc degree in Computer Science or Engineering, have a professional education as web developer with lots of different jobs in IT or still be learning as a student.
One thing in common, however, is striking: all of them got into cyber security through participating in “Capture the Flag” events (CTF). It must be a very effective and fun way to learn about cyber security! Another commonality is the reason they started doing bug bounties. Some of them made trips into the shadier areas of vulnerability research and wanted to switch to a completely hassle-free and legal way of doing this – as well as getting some bounties and recognition while doing so.
These top bounty hunters are making a living out of it
Many Bug Bounty Hunters worldwide are making bounty hunting their main source of income. We were also fascinated to hear that our top hunters are now creating their own business around Bug Bounties. Daniel and Edgar, along with a third white hat hacker, just started their company Bugscale, focusing on research and bug bounty programs. Raphaël also created his own company. Patrik still needs to get an MSc in Computer Science, but his bounties will cover all his education costs.
Good bounty hunters are good handicraftsman.
When discussing their workflow and tools of the trade, we were surprised at how “manual” their approach is. For discovery, where the targets are identified, OWASP’s Amass is used to query multiple sources of information (certificate transparency logs, Shodan, Google, DNS enumeration, etc.). But from there, they analyze the websites and servers mostly manually, relying on their intuition to dig deeper and deeper until they succeed. They know from experience and feel that “there is something to exploit here” and will not let go until a Proof of Concept exploit is developed. We see this when looking at the time the reports are sent to us: it’s not unusual that the timestamps are way past midnight. Two incentives are at play: the first one is pride in finding a vulnerability no one else has discovered before, so-called 0-days, and the second is being able to report a finding and get a bounty acknowledging the time spent.
Another good source of intelligence used by Patrik is LinkedIn: by searching for web developers (especially PHP developers, as it’s “a bit crappy”), and looking at their company or blog posts, he can identify applications and websites that may be interesting to check in more detail. Raphaël and Patrik are also regularly watching our press releases and are happy to test our recent acquisitions.
Bug bounty programs are not all created equal
Bug Bounty programs are expanding these days. There are multiple ways to get one running, and we were interested in getting the perspective of these bounty hunters.
Many programs are hosted on HackerOne or Bugcrowd, well known “managed bug bounty” services based in the USA. Closer to us is YesWeHack, a French company. This is the most obvious way to find new programs but also has a disadvantage: a new program will be “assaulted” when starting, everyone trying to get the low hanging fruit as fast as possible. This can be very frustrating for researchers, spending time and reporting issues, only to discover they have all been previously reported (only the first hunter to report a vulnerability gets the bounty).
Private programs are more interesting for hunters: by invitation only, a limited number of researchers are given a head start on a new program or new scope. It’s a kind of acknowledgement of their previous work – well-rated bounty hunters get invited, which in turn increases their chance to get good bounties.
Another important aspect for the hunters is the relationship they build with the team running the program. In the case of Swisscom, they know how to reach us rapidly. They know they have competent and knowledgeable contacts on the other side, able to give relevant contextual information rapidly. This is something that is much more difficult for an outsourced bug bounty program.
Finally, we asked what they liked about our program, and where we could improve. In addition to the trust and transparency mentioned before, they really enjoy the huge scope of Swisscom. They also like our rating of bounties, based on the business impact of the vulnerability. Although this is not predictable up-front, they find it valuable as they gain way more context and insight into the company. They all wished for a private track of the program, so they could get test accounts and prioritized access to new services. We will have think about ways to implement that.
The future of bug bounty programs
Our top bounty hunters agree on one thing: the future looks bright for Bug Bounty programs. They expect that, in the years to come, more and more companies will be adopting them, especially in Switzerland, as well as more skilled bounty hunters looking at the systems. It will be harder to find really valuable vulnerabilities as security is (hopefully?) slowly improving over time.
Information about Swisscom’s Bug Bounty program
Information and facts about Swisscom’s Bug Bounty program
Scope: all products and services from Swisscom group, including subsidiaries.
Reported vulnerabilities: from low-level cross site scripting (XSS) up to highly critical 0-days in well-known and widely used products.
Numbers from 2018
- Vulnerability reports received and handled: 844
- Valid reports resulting in a fix: 427
- Bounties awarded: CHF 350’000.-
A look ahead to 2019
Looks like some records will be broken…
Florian Badertscher
Security Analyst CSIRT, Swisscom