By| 2015-07-14 @ 09:26
Bug bounties are a positive improvement to the security community over the last few years. Rather than the debate full disclosure versus "responsible" disclosure where both sides felt they were getting the raw end of the deal, companies are now paying out security researchers for their work and researchers have a reasonable channel through which to report vulnerabilities and a set of rules to play nice by. (Historically, finding the security flaw was sometimes easier than finding the right email to notify!)
While bug finding isn’t the type of business we’re normally in here at Vector 35, I was recently working with a friend who was poking at an interesting quirk in the United website looking for vulnerabilities that qualified for their bug bounty program. After getting stumped trying to figure out that tricky bug, I started looking elsewhere on the site.
I stumbled across two potential problems that I wasn’t even sure qualified for the bug bounty. The flaws could potentially allow remote code execution, but they were in a portion of United’s websites that I wasn’t sure would count for the bounty and didn’t seem technically interesting. Still, it didn’t hurt to send them the info to make sure potential problems got fixed, so away went the report.
Here’s the full timeline for my interaction with United:
May 15 : Email initial report to United May 19 : Automated response letting me know it was received. June 24 : Validation of the flaw letting me know it would be submitted to developers Jul 10 : Notification fix is in production, asked whether US citizen Jul 10 : Confirmed citizenship, W-9 sent Jul 10 : Miles added to account
My original tweet shows the screenshot of the miles being added.
First, I want to take a minute to thank United for their program. They’ve been getting some mild pressure in the community to open up the rules of their program and allow details of flaws to be disclosed once they’re patched. I do think that would be a good idea, but I’m happy they’ve made the first step that they have. Not many non-tech companies have a bug bounty program at all, so hopefully this will be a good experience and they’ll consider gaining even more trust from the community by allowing discussion of fixed bugs.
Secondly, I hope other companies follow their lead, but be warned that starting up a bug bounty program without being prepared for the deluge of reports (unfortunately many of which are spurious) is something that sounds fairly common to bug bounty programs. Thankfully, there are a number of services (HackerOne, BugCrowd, [Cobalt.io[(http://cobalt.io)) that can help you manage such a program.