Page

The Bug Bounty Hunter’s Manifesto

Hacking skills for bug bounty hunting will only be used in bonafide bounty programs that are announced and run by the organizations themselves.

The objective is to search for organizations that announce and provide a professional and transparent ecosystem for carrying out security testing, reporting and payments, while indemnifying the tester from any legal or other action(s).

Permission will be obtained from the organization that has announced the program. If there is no requirement to seek permission the intent to test may be communicated.

At the very least, a record of start date, end date and access times will be maintained and may be shared with the organization if needed.

One's skills will not be used in any unauthorized tests or searches for security bugs / vulnerabilities / weaknesses.

A vulnerability will be exploited ONLY for the purpose of getting a screenshot of the extent of penetration into the organization's infrastructure.

Any and all testing will be non-destructive. - This means that once the vulnerability has been exploited nothing will be changed on the internal systems which have been accessed.

- This includes data at rest in databases or in motion as in transactions or as it is being created. The proof-of-concept "may" show evidence of change but the change will not be committed.

- Also any payload like an executable program, infected documents delivered directly or through any other means.

Page

- Making changes in source code of programs running on the organization infrastructure or in documents stored on the systems to which access has been obtained.

- If a link leads to a third party this will not be tested and will be considered the boundary at which any exploit or penetration will be stopped.

No data or documents will be copied from any of the vulnerable systems on which access has been obtained during the course of searching for bugs and vulnerabilities.

The 'hunt' will not be restricted to technical issues as we are aware that we may also discover logic issues which (usually) lead to risks of infrastructure compromise.

If a website is available the bug hunting methodology and approach will be put up and this will be communicated to the bounty program organizer company.

Third party websites or infrastructure will not be tested even if it is included in the scope, in the absence of explicit permissions from the party concerned.

No testing will be done for "information" or "knowledge enhancement" purposes as this is a professional activity and one expects to earn from the same.

Payments as per the payout norms of the organizing company will be accepted without dispute.

Any bug / vulnerability / issue that is reported under a bug bounty program will be released in public only after it has been repaired by the affected organization. This will be done if the organization has no objection to the public disclosure.

Page

Once a bounty program has been closed the systems will not be

revisited for personal gain or any other reason.

Any and all knowledge and discoveries made during the course of the bounty hunt will be considered confidential between the hacker and organization and will not be disclosed to any other person or entity.

In event of the discovery or any unlawful activities or information the same will be disclosed to the appropriate law enforcement authority.

No backdoors or trojans will be injected into the host system that is being tested to provide any means of re-entry or exploitation once the bounty program is completed.

A Little Bit for the Organization’s too:

If you are a company intending to run a bug bounty program there are a few rules you must include in your plan / program for the same. Some of these guidelines are provided and if followed, these will help make your program hacker friendly and provide you with all the benefits that are expected to result from a bug bounty program.

- Provide contact information of the responsible person (email and phone number at the very least). Also, this person must be responsive and be able to provide required information quickly to the participants.

- Provide clear instructions about the program with start and end dates along with the specifications of the overall surface that is opened for testing (IP addresses, domain names), the type of tests and reports that are invited.

Page

- Enumerate any exclusions. Especially domains, IPs and applications that you may not want to be tested. - A publicly available general indemnity must be provided online carrying the signature of the legal officer, stating the hackers have been invited to "test" the identified system(s) and any and all responsibilities are with the organization. - In respect of payment transparent information must be available in respect of amount, periodicity of release of funds, how will payment be released, tax deduction and liabilities.

- Let the world know if you are paying in cash or in kind or 'mentions' and a listing in your hall of fame. - Clarify responsibility for minors who are participating in the program and make payment claims against reported bugs and vulnerabilities.

- Declare the amount of time required to repair the bugs / vulnerabilities that are reported and communicate the repair to the hacker who reported it. - If it is okay with you to allow the hacker to publish the issue in public after it has been closed.

This document is a creation of securians.com and is released in the public domain under Creative Commons License (Attribution-Noncommercial 2.5 India) http://creativecommons.org/licenses/by-nc-sa/2.5/in/.

Disclaimer: The practices listed in the document are provided as is and as guidance and the authors do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. Feedback is solicited and you can access other topics at our website www.indiawatch.in

Contributors: Dinesh O Bareja

Title: Keep Your Laptop Safe Version: 1.0 / August 2013