What are your experiences with bug bounty and responsible disclosure programs?
I have been working as a programmer for almost 20 years and nowadays I develop web stuff for Uppsala University.
When I was younger I heard about other students who hacked phone systems and things like that, but even though I found it cool and interesting, I never figured I could do it (and I am not of the criminal persuasion anyway). Around 2012, when I first heard about this thing called bug bounties, I could suddenly hack stuff in a totally legal way. I found that very exciting, and still do.
One of the first issues I reported was a CSRF in a Swedish web shop that did not have a bounty program, but I got two board games as a reward. I think their immediate positive feedback made me appreciate this hobby from the very beginning. I still report bugs to them now and then but during 2012 I almost exclusively reported bugs to Nokia, who I believe was running one of the first bug bounty programs of the kind we know today.
I think it’s a fun hobby and some extra money now and then is always fun.
I also run the Swedish Slack group “Bug Bounty Hunters Sweden” (yes, it’s a cheesy name, I know). Everyone who is interested in the bug bounty scene and understands Swedish at least a little is very welcome to join the group.
In your opinion, what differs Detectify’s Crowdsource from other bug bounty programs?
I think there are several differences:
- For bug bounty programs you find specific vulnerabilities that mostly exist in one place, but on Crowdsource you take a broader view and look for more common issues.
- Another difference is that, in contrast with most bug bounty programs, you don’t have to create fully functional prototypes. Instead it seems to be enough to describe the issue in just enough detail for Detectify’s developers to be able to create a scanner module.
- Finally, normally you get one reward per bug you report, but Detectify Crowdsource’s payout model is based on every time Detectify’s scanner finds an instance of your issue, you will earn money.
What have you submitted to Crowdsource and why?
Almost all my current submissions concern misconfigurations, for example open admin interfaces. I have used many of the affected systems professionally which has inspired me to see if I can find any open instances on the web. I’m an avid Google dorker, but lately I have grown very tired of the “I am not a robot” checkbox. 🙂
Do you have any tips for new researchers when submitting vulnerabilities to Crowdsource?
Do not be afraid to try! At first I thought I had to implement the module myself, but when I finally submitted my first idea for a module I realized that it was very easy. The Detectify staff are very nice and helpful.
What would be the perfect submission to Crowdsource according to you?
A very common Remote Code Execution vulnerability.
Are you interested in joining Peter and other security researchers on Detectify Crowdsource? Drop us an email: hello [at] detectify.com and we’ll tell you more, or check out this blog post where we have explained what we look for in a Detectify Crowdsource hacker.