Are you a veteran hacker, someone who loves code review, or looking to get your first CVE? Then, I have something to share with you. Let’s talk about the Internet Bug Bounty (IBB).
Wide Open Source
As hackers, it pays to think outside of the box. You don’t just look at what’s in front of you- instead, you observe the entire perimeter to find anomalous ways in. For example, a target might have a layered defense, but something downstream could impact your finds.
It is no surprise that companies utilize open source projects in their applications. Open source projects allow you to grab and repurpose tools that can help scale quickly. In fact, in a survey done by the Open Source Initiative and OpenLogic, it was stated, “Out of 2,660 respondents to our recent global survey, 77% increased the use of open source software in their organizations over the last 12 months, and 36.5% indicated that they increased the use significantly.”
Also, open source has some of the most dedicated communities when it comes to development. Projects are worked on with a passion for expanding versatility and keeping up with the companies implementing them.
What does all of this mean together? Constant development and utilization open up an opportunity for our community to participate in securing some of the most notable projects. Some examples:
-Curl
-Electron
-Django
-Openssl
All of which are used by major establishments to run their companies. You’re securing the internet from the source, literally.
How is this applicable to you as a bug hunter?
Internet Bug Bounty is a way to get paid while challenging you to get your first CVE or security bulletin. Not only that, but it is a way for you to level up your code review skills by reviewing predominantly source code assets. Here are some examples of critical reports found in May: Unauthorized gem takeover & Unauthorized takeover of some platform-specific gems.
Speaking of payment, it is an 80/20 split model that assures the finder (80%) and the OSS project (20%) are both rewarded. Rewarding the hacker who participated in securing critical infrastructure and aiding those tirelessly maintaining these projects.
So far, this program has paid out 845,660$ since it started. In the last 90 days, it has paid out 64,040$ (both of these are at the time of writing this). This money is going into the pockets of hackers and funding projects that run the internet.
The Goal
The IBB’s mission involves continuously expanding the scope to cover all open source projects. We are prioritizing projects with widespread adoption and responsive security maintainers. If there’s a project you’d like to see in scope, please let us know, and we will prioritize their inclusion.
To submit a nomination, email us the project information at ibb@hackerone.com and include any details that may help us understand why this project should be enrolled. Some examples of details to include are:
- Recently (or soon to be) published CVE for security research into the project
- Positive past experience with a responsive security maintainer
- Plans to continue security research into this project
Along with the above details, if you have any direct contacts, you would like us to reach out to, feel free to include that information. If not, we will do our best to reach out to the right security contact for the project.