The History of bug bounty programs

www.crowdcurity.com

CrowdCurity

Intro and timeline

Bug  bounty  programs  are  becoming  an  increasingly  popular  method  of  finding  security  bugs  on  the  internet.  Google,  Facebook  and  Paypal  are  just  some  of  the  companies  who  now  run  such  programs.  But  when  and  how  did  the  idea  for  this  cost-­‐effecAve,  crowdsourced  security  tesAng  model  arise?  In  this  presentaAon,  We  look  a  liFle  deeper  into  the  interesAng  history  of  bug  bounty  programs.  

CrowdCurity

On  October  10th,  1995,  Netscape  launched  the  very  first  bug  bounty  program,  which  offered  cash  rewards  to  those  who  were  able  to  find  security  bugs  in  their  Netscape  Navigator  2.0  Beta.  MaF  Horner,  Netscape’s  Vice  President  of  markeAng,  explained  at  the  Ame:  “By  rewarding  users  for  quickly  idenAfying  and  reporAng  bugs  back  to  us,  this  program  will  encourage  an  extensive,  open  review  of  Netscape  Navigator  2.0  and  will  help  us  to  conAnue  to  create  products  of  the  highest  quality.”  Netscape’s  first-­‐mover  mentality  was  impressive,  but  the  idea  did  not  catch  on  with  other  soWware  vendors.  The  company’s  bug  bounty  program  conAnued  unAl  the  final  release  of  Netscape  Navigator  2.0  where  the  winners  were  announced.    

CrowdCurity

As  Netscape’s  bug  bounty  methodology  did  not  catch  on  to  other  vendors,  the  security  company  IDefense,  who  were  later  bought  by  Verisign,  began  an  iniAaAve  in  2002.  Their  vulnerability  contributor  program  offered  researchers  cash  rewards  of  up  to  $400  for  reporAng  vulnerabiliAes  in  soWware  to  them.  IDefense  would  then  act  as  a  middleman  between  the  researcher  and  the  soWware  vendors.  

CrowdCurity

In  the  summer  of  2004,  nine  years  aWer  the  Netscape  bug  bounty,  the  Mozilla  foundaAon  launched  a  bug  bounty  program  offering  rewards  of  $500  for  researchers  able  to  idenAfy  criAcal  vulnerabiliAes  in  Firefox.  The  program  was  sponsored  by  entrepreneur  (and  space  tourist)  Mark  ShuFleworth  and  the  Linux  distributor  Linspire.  The  Mozilla  bug  bounty  program  is  sAll  going  strong  today,  expanded  to  cover  most  of  Mozilla’s  products.  

CrowdCurity

In  2005,  IDefense  compeAtor  TippingPoint  launched  another  “middleman”  program,  called  the  Zero  Day  IniAaAve  (ZDI).  Just  like  IDefense,  TippingPoint  connected  the  security  community  with  the  vendors,  by  offering  cash  rewards  for  reports  on  vulnerabiliAes.  The  ZDI  is  sAll  running,  now  by  HewleF-­‐Packard,  who  acquired  TippingPoint’s  parent  company  3Com  in  2010.  David  Endler,  who  has  worked  for  both  IDefense  and  TippingPoint  and  been  a  prime  mover  behind  both  of  their  programs,  has  wriFen  a  nice  blog  post,  “Remembering  five  years  of  vulnerability  markets,”  describing  the  period  from  2002  to  the  launch  of  ZDI.  

CrowdCurity

Three  weeks  before  2007  CanSecWest  conference,  Dragos  Ruiu  announced  the  PWN2OWN  contest,  a  hunt  for  security  bugs  in  Macs  OSX.  This  was  Ruiu’s  way  of  showing  frustraAon  with  the  way  Apple  handled  security  and  disclosure.  The  contest  was  held  within  a  limited  Ame  frame,  with  the  prize  iniAally  announced  as  a  laptop,  but  later  upgraded  to  $10,000  reward  provided  by  ZDI.    PWN2OWN  was  a  great  success  and  has  become  a  recurring  event  at  CanSecWest.  In  2014,  $850,000  was  paid  out  in  rewards  to  skilled  researchers.    

CrowdCurity

In  2010,  the  vulnerability  reward  program  for  Google  web  properAes  really  kickstarted  the  trend  towards  bug  bounty  programs  for  web  applicaAons.  Earlier  the  same  year,  Google  had  launched  a  similar  program  for  the  open-­‐source  Chromium  project,  with  good  success.  Google’s  reward  program,  that  openly  invited  researchers  worldwide  to  test  their  site  on  a  conAnuous  basis,  was  similar  to  the  one  Mozilla  launched  in  2004.  In  general  a  lot  happened  on  the  bug  bounty  scene  in  2010:  Mozilla  decided  to  expand  their  program  to  web  applicaAons,  Baracuda  networks  launched  a  bug  bounty,  and  Deutsche  Post,  the  German  federal  postal  service,  launched  a  bug  bounty  on  their  secure  messaging  service  

CrowdCurity

Facebook  followed  in  the  footsteps  of  Google  and  launched  their  whitehat  program  in  2011.  Facebook  announced  they  would  pay  out  minimum  rewards  of  $500,  with  no  upper  limit.  The  Facebook  whitehat  program  is  sAll  running  today,  and  more  than  $2M  has  been  paid  out  in  rewards,  including  $1.5M  in  2013  alone.  

CrowdCurity

Online  businesses  of  all  sizes,  today  feature  ongoing  bug  bounty  programs  on  their  web  applicaAons.  Even  MicrosoW  now  runs  a  bug  bounty  offering  $100,000  in  rewards  for  the  discovery  of  criAcal  vulnerabiliAes.  Reward  sizes  have  increased  with  the  popularity  and  legiAmacy  of  these  programs:  Google’s  rewards,  for  instance,  are  five  Ames  greater  today  than  in  2010.  But  the  story  of  bug  bounAes  is  sAll  in  its  early  chapters.  Last  year,  MicrosoW  and  Facebook  joined  forces  to  sponsor  the  Internet  Bug  Bounty,  a  program  dedicated  finding  vulnerabiliAes  in  frameworks,  such  as  Ruby  on  Rails  or  Django.  Another  growing  trend  is  the  popularity  of  bug  bounty  marketplaces  such  as  our  own  (CrowdCurity).  These  marketplaces  offer  an  online  businesses  the  opportunity  to  easily  start  and  manage  their  own  bug  bounty  program,  and  leverage  the  power  of  the  security  community.  

www.crowdcurity.com