Top Ten Bug Bounty Payouts of 2018
Which companies were paying the most generous bounties via crowd security testing platforms in 2018?
Paying researchers a bounty for finding bugs in code is cheaper and more efficient than employing a full-time in-house team of technicians. Companies that choose this route can do so privately, or by joining one of several bug bounty platforms – with HackerOne being the best known.
Researchers and white hat hackers can earn substantial bonuses, bordering on making bug hunting a full-time occupation. Companies win, researchers are rewarded, and the user population is more secure. Here we list ten notable bug bounty payouts from 2018.
10: Even More Facebook Data Exposure
When: April 2018
The payout: $8,000
The bug: Data exposure by third-party app.
In April, Facebook instituted a new data abuse bounty program. This is a positive step. “It is an exciting shift in the bug bounty industry,” commented High-Tech Bridge CEO Ilia Kolochenko at the time, “which till now has focused on security vulnerabilities. Facebook is the first major company that is asking for researchers to identify data privacy issues.”
The first payout came less than two weeks after the program started, when white hat hacker Inti De Ceukelaire examined quizzes from NameTests.com. He found that user data gathered by the tests was being stored in a JavaScript file, with no access protection, potentially exposing this data to any external website the user subsequently visited.
The exposed data would persist even if a Facebook user deleted the quiz app. NameTests.com tests have a monthly userbase of 120 million users, and anyone using the quizzes could have been affected by the data exposure The initial bounty payout was for $4,000, but as Inti requested the bounty be donated to the Freedom of the Press Foundation, Facebook doubled it to $8,000.
9: Google Administrative Authentication Bypass
When: February 2018
The payout: $13,337
The bug: Broken authentication for YouTube TV’s admin panel.
While his bug bounty seems to have passed without remark by most security news outlets, Vishnu Prasad, computer science student in Kerala, India, nonetheless found a significant vulnerability for Google. While searching for vulnerabilities in some internal Google IP addresses, Prasad discovered that under certain circumstances, the mobile version of the Chrome browser would allow access to administrative control panels without any login credentials. This was swiftly reported to Google’s Vulnerability Report Program, netting Prasad a reward of $13,337.
Prasad’s own writeup on Medium is the only account of this vulnerability. However, he currently holds a rank of 54 on Google’s bug-hunter hall of fame and made national news in India for bug-hunting in 2017. The story may have been overshadowed by Google’s largest ever bug bounty payout just weeks earlier, as we will see later in the list (see Ezequiel Pereira).
8: Shopify Open to Takeovers
When: December 2017-February 2018
The payout: $15,250
The bug: Authentication vulnerability allowing attackers to take complete control of online stores.
Shopify is a Canada-based e-commerce platform offering a framework for online shops to process payments, shipping and customer management. On Christmas Eve in 2017, a security researcher going by the moniker Cache Money discovered a critical flaw in Shopify’s Partner Dashboard.
If an attacker had access to an email associated with an online store, it would be possible to bypass Shopify’s authentication process. This would allow the attacker not only access to data processed by the online storefront, but potentially to fully take over the Shopify account for that website. The bug was fixed within 12 hours of being reported, but the disclosure and payout of $15,000 plus $250 for verifying Shopify’s fix, came in February 2018.
7: Free Games from Valve
When: November 2018
The payout: $20,000
The bug: An API exploit allowing generation of game activation keys.
Security researcher Artem Moskowsky stumbled across a potentially devastating bug in the infrastructure of Valve’s online gaming platform, Steam. The bug was exploitable by anyone with access to Steam’s developer portal, an interface for game developers and publishers to manage their products. Manually changing values in the portal’s API would allow a developer to generate activation codes for any other game hosted on Steam, even if the user had no claim to the intellectual property.
If left unchecked, this error could have caused severe financial damage to Valve. During testing of this bug, Moskowsky used a random parameter and received 36,000 keys for Portal 2, at the time worth $360,000 in total. Valve awarded a bounty of $20,000 for reporting this bug.
6: Google’s RCE Flaw
When: May 2018
The payout: $36,337
The bug: A remote code execution flaw in Google’s deployment environment.
Ezequiel Pereira, computer engineering student from Uruguay, discovered a security flaw in the Google App Engine framework. The error allowed access to Google’s internal APIs, providing a vector for remote code execution (RCE) attacks. Once the flaw was reported and fixed, Google awarded a bounty of $36,337 as part of its bug bounty program.
Pereira is a frequent bug-finder for Google. He used an earlier reward of $10,000 to fund his education. These bug hunting skills have already earned Pereira an elevated position in Google’s bug-hunting hall of fame.
5: Facebook’s Largest Ever Bug Bounty
When: Undisclosed; part of bounty program launched in April.
The payout: $50,000
The bug: A privacy/monitoring vulnerability.
Facebook published a review of its bug bounty program in 2018. As well as payouts for over 700 reported issues, 2018 has also seen the largest ever bounty payout from Facebook of $50,000. While exact details of the vulnerability are not known, the flaw would have allowed malicious users to monitor the activity of legitimate accounts and bypass authorization requirements.
Facebook has been keen to show a stronger commitment to data security this year, in the wake of the reputational damage from the Cambridge Analytica scandal. This payout is part of their new bug bounty program launched in April, which this year has seen payouts in excess of $1 million. Under this program, Facebook has indicated that bug reports deemed ‘high impact’ could have payouts of $40,000 or more.
4: New Variants of Spectre
When: July 2018
The payout: $100,000
The bug: New subvariants of the Spectre processor vulnerability.
Spectre is a security vulnerability affecting microprocessor chips. It has many variants and subvariants, including the Meltdown vulnerability. Both Meltdown and Spectre allow malicious actors to read sensitive data as it’s processed.
In July, security researchers Vladimir Kiriansky and Carl Waldspurger discovered two new vulnerabilities, subtypes of Spectre Variant One. The first subvariant, Spectre 1.1, could allow attackers to execute malicious code by exploiting a buffer overflow. The second, Spectre 1.2, could allow attackers to overwrite read-only data, manipulating the target computer. Intel paid $100,000 to the researchers for discovery of these vulnerabilities.
3: Two Google Pixel Bugs
When: August 2017-January 2018
The payout: $112,500
The bug: A pair of bugs creating a code injection vulnerability in Google’s Pixel smartphone.
What is possibly 2018’s largest bug bounty payout to a single researcher went to Guang Gong of Qihoo 360 Technology in January this year. Two bugs – CVE-2017-5116 and CVE-2017-14904 – created a code injection vulnerability affecting Google Pixel smartphones and other Android devices. A malicious link, if clicked, could exploit this vulnerability to compromise the user’s device and personal data.
While Guang received his bounty payout in January 2018, the vulnerability had been discovered in August 2017. Google fixed the bugs before paying Guang, but not until December 2017’s security update – leaving the critical vulnerability known and exploitable for approximately four months. The payout of $112,500 is Google’s largest ever bug bounty award to date.
2: Hack the Marines and Hack the Air Force
When: October-November 2018
The payout: $150,000 from the Marines; $130,000 from the Air Force
The bug: Hundreds of security vulnerabilities.
Although technically two different occasions, the US Department of Defense’s public hacking events occurred close together, with the same objective and MO. Both are part of the DoD’s Hack the Pentagon bug bounty initiative. Beginning in October, Hack the Marines turned up over 150 security flaws in the Marine Corps’ systems. Hackers from the general public, working through the HackerOne platform, took away a total of $150,000 in bounties.
Soon after, the Hack the Air Force 3.0 event saw similar success, with bug bounty hunters taking away $130,000 for their efforts. 120 vulnerabilities in the Air Force’s networks found by approximately 30 hackers. This was an improvement over the previous Hack the Air Force event’s success, which had netted hackers just over $100,000.
1: Oath’s Days of Bounties
When: April and November 2018
The payout: Over $400,000 - twice
The bug: Hundreds of bugs across two hacking events.
Perhaps HackerOne’s biggest success story this year came at the H1-415 event in San Francisco. Oath Inc., a media company which owns brands like Yahoo!, AOL and Tumblr, invited 40 security researchers from HackerOne to a live hacking event. Over the course of the day, hundreds of bugs were discovered, netting a total bounty for the event of over $400,000.
This event heralded the start of Oath’s new bug bounty scheme, which consolidated its brands into a unified bug bounty program. By the end of the year, this program had paid out over $5 million for surfaced bugs and vulnerabilities. A second event, H1-212 held in November in New York City repeated the success of H1-415. Discovery of 159 vulnerabilities saw over $400,000 being paid out again, though this time over the course of three days rather than one.
UPDATE: Thanks to Casey Ellis for bringing $114,000 award by Samsung @ BugCrowd to our attention.