Hello E Hackers, today E Hacking News interviewed One of the Best Bug Bounty hunters, Vignesh Kumar, who got listed on all Hall of Fame pages that includes Google, Twitter and rewarded by lot of companies for his findings.
1. Introduce yourself
Hi, I am Vignesh Kumar from TamilNadu, INDIA. I hold a Bachelor of Engineering in Electrical Engineering and in addition an Information Security Enthusiast, budding Bug Bounty Hunter.
2. You are an Electrical Engineer, How did you get interest in Information security field?
Yes, I am. But I am more obsessed with Electronics and Networking. Also I have a huge passion for Information security too. I was introduced and inspired into "Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).
3. When did you start Bug hunting?
Around 5 months ago. But started in full swing from the last 3 months.
4. I have seen your name in lots of Hall of Fame, I am really proud to have you as my friend. How did your Parents/Friends react when you got rewards?
Thank you so much for your compliments. At the outset, I would like to thank my Family and all my Friends for all their support and encouragement. Well, when i received my first Bug Bounty (Cash reward), I told my friends about it and they looked at me like I was a Cyber Criminal. After I explained about “Bug Bounty Program” to them with “Proof of Concept”, I could see smiley faces. . No wonder!! Even many IT Geeks aren’t aware of the term “Bug Bounty”. Awareness is necessary.
5. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
The vulnerabilities categorized by The OWASP Foundation.
6. What is your first finding, how did you feel at that time?
I can barely remember the exact first one. But whatever it was, it really had driven me to dig more deeply into it.
7. What is the favorite vulnerability found by you?
Each and every one of the vulnerabilities I found in Top Ranked Sites which includes Facebook, Twitter, is my favorite. As you know, finding bugs in Top Internet Giant sites like Google, Facebook, Twitter would be really hard in upcoming days since thousands of researchers are into it. I would like to rephrase a nice quote said by some researchers. “Not only Ninja Skills, but also you must have an Eagle Eye to hunt for Bugs”. Well said.
8. You're hunting bugs for fun, for profit?
Actually, bit of both. Beyond those you could gain more knowledge from around and develop your own skill set which is primary. Also I am glad that I have earned good friends around the world from this Bug Bounty program.
9. What are your future plans? Electrical Engineer or Information Security Researcher?
Obviously, Electrical/Network Engineer it is. And I believe I have the potential to handle multitasks. So I would continue my InfoSec Research too, either as an Independent or as a Team.
10. What is your advice for new bug hunters?
Well, that question is for Experts which I am not. I am a Beginner too. But from my experience, I may have few things. “Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one just by aiming on money. Have thirst of gaining knowledge which will fetch you HOFs, money and all. Don’t feel depressed when you fail for the first few times. Learn to the core and keep hunting which will definitely fetch you the rewards. Follow the InfoSec experts in Twitter /Facebook and try learning new hunting methodologies from their personal blog. Moreover, patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.
11. What do you think about E Hacking News?
E Hacking News (EHN) is doing a great job and it is one of the Best IT Security/Hacking News Portal I have ever come across. I must appreciate your efforts in bringing up the real news on IT Security from around the world to all the Readers. Also must mention BreakTheSecurity.com which is with a hand full of Tutorials on Penetration Testing & Ethical Hacking for Beginners. Kudos to your efforts!! I would suggest continuing the publication of monthly Security Magazine from EHackerNews.
12. Is there anything else you want to add?
Nothing else I have. I wish all Bug Hunters very Good Luck for their hunting and have a bright future. Thank you, Mr.Sabari Selvan for this opportunity to share my experience with all. Thanks everyone!!
It seems like Paypal is running out of Money in its Bug Bounty budget. Bug Hunters started to report that the Paypal stopped to give Bounties.
Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.
But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."
Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1. paypal-marketing.com.hk/merchant-enquiries/index.php, 2.paypal-marketing.com.hk/merchant-enquiries/index-zh.php. POCs for these vulnerabilities can be found here.
Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.
*Update*:
Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:
Sites to be decommissioned in coming months:
Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.
But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."
 |
| XSS vulnerability in Paypal-marketing |
Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.
*Update*:
Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:
Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (*paypal.com) and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.
Sites to be decommissioned in coming months:
- paypal-deutschland.de
- paypal-danmark.dk
- paypal-promo.es
- paypal-europe.com
- paypal-france.fr
- paypal-nederland.nl
- paypal-norge.no
- paypal-marketing.pl
- paypal-sverige.se
- paypal-turkiye.com
- paypal-business.co.uk
- paypal-marketing.co.uk
- paypal-shopping.co.uk
- paypal-australia.com.au
- paypal-biz.com
- paypal-business.com.hk
- paypal-marketing.com.hk
- paypal-offers.com.hk
- paypal-shopasia.com
- paypal-japan.com
- paypal-apac.com
- paypal-plaza.com
- thepaypalblog.com
- www.paypal-brasil.com.br
- paypal-marketing.ca
An Indian Security Researcher Prakhar Prasad has discovered a Blind SQL Injection vulnerability in Paypal Notifications website(paypal-notify.com) that allowed researcher to access database of Paypal notification system.
" As a part of Paypal Bug Bounty Program, I did a responsible disclosure of the bug to Paypal Security Team " The researcher said in his blog.
 |
| SQLMap displays the Database name after injection |
The PayPal security team patched the vulnerability immediately, just the next day after the Prasad's vulnerability report due to its high severity.
The Paypal security team patched the vulnerability and rewarded the researcher with $3000 for the SQLi and additional $350 for other less critical bugs on 21st January.
It seems like the security company Avast is attracted by the Bug Bounty Programs. Today, Avast officially announced the Bug Bounty program.
Bug Bounty program is the place where Security researchers love to find vulnerabilities in target website or Software and get rewarded for their findings.
"As a security company, we very much realize that security bugs in software are reality." The official blog post reads ." But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful [than] those that don’t. "
Avast claims that their firm is the first Security vendor with a reward program.
The company is only interested in the following types of bugs :Remote code execution, Local privilege escalation , Denial-of-service (DoS), Escapes from the avast! Sandbox(via bugs in code), Other bugs with serious security implications.
The base payment is $200 per bug. Depending on the criticality of the bug , the bounty will go much higher. Remote code execution bugs will pay at least $3,000 – $5,000 or more.
A Cross Site Request Forgery(CSRF) vulnerability in Facebook allowed hackers to record video of target users and post in the victim's wall. The vulnerability was discovered by security researchers Aditya Gupta and Subho Halder, from XYSEC Team .
A malicious hacker could record trick a user to silently record his webcam video and publish it to his facebook wall, without the user even knowing about it.
In a youtube video, researcher demonstrate how an attacker could exploit this vulnerability in a Youtube video.
Four months after researcher notified facebook about the security flaw, facebook finally emailed them that their finding is eligible to receive a bug bounty of $2500, that will come as a Facebook WhiteHat Debit Card.
PoC:
"The Best way to improve Network security is hiring hackers" Unfortunately, companies can't hire all best hackers. So the companies has chosen another best way to improve their system security, "Bug Bounty Programs".
Bug Bounty program is the place where Security researchers and Ethical hackers love to find vulnerabilities in target website or app and get rewarded for their findings.
Here is the list of Bug bounty programs that offers reward for security researchers who find vulnerabilities.
Google:
If you find vulnerability in google , you will get reward as well as your name will be listed in the Google Hall of fame page.
Details about Vulnerability Reward Program: http://www.google.com/about/appsecurity/reward-program/
Hall of fame: http://www.google.com/about/appsecurity/hall-of-fame/
The following table outlines the usual rewards for the anticipated classes of bugs:
| Vulnerability type | accounts.google.com | Other highly sensitive services [1] | Normal Google applications | Non-integrated acquisitions and other lower priority sites [2] |
|---|---|---|---|---|
| Remote code execution | $20,000 | $20,000 | $20,000 | $5,000 |
| SQL injection or equivalent | $10,000 | $10,000 | $10,000 | $5,000 |
| Significant authentication bypass or information leak | $10,000 | $5,000 | $1,337 | $500 |
| Typical XSS | $3,133.7 | $1,337 | $500 | $100 |
| XSRF, XSSI and other common web flaws | $500 - $3,133.7 (depending on impact) | $500 - $1,337 (depending on impact) | $500 | $100 |
Security Bug Bounty from facebook:
Minimum reward is $500 USD.
The reward will be increased for severe or creative bugs
Only 1 bounty per security bug will be awarded
https://www.facebook.com/whitehat/bounty
Mozilla Bug Bounty program:
The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence.
The bounty for valid web applications or services related security bugs, the are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. they will also include a Mozilla T-shirt.
http://www.mozilla.org/security/bug-bounty.html
Paypal Bug Bounty Program For Professional Researchers
https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
Secunia Vulnerability Coordination Reward Program (SVCRP)
SVCRP – a reward program incentive offered by Secunia to researchers who have discovered a vulnerability and would like a third party to confirm their findings and handle the coordination process with the vendor on their behalf: http://secunia.com/community/research/svcrp/
Etsy :
Will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team.
http://codeascraft.etsy.com/2012/09/11/announcing-the-etsy-security-bug-bounty-program/
Barracuda Networks
www.barracudalabs.com/bugbounty
Companies that mentions researcher name in the site but won't give bounties.
Adobe Systems Incorporated:
Details :http://www.adobe.com/support/security/alertus.html
Security Acknowledgments : http://www.adobe.com/support/security/bulletins/securityacknowledgments.html
Twitter:
https://twitter.com/about/security
EBay:
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html
Microsoft
http://technet.microsoft.com/en-us/security/ff852094.aspx
http://technet.microsoft.com/en-us/security/cc308589
http://technet.microsoft.com/en-us/security/cc308575
http://technet.microsoft.com/en-us/security/cc261624
http://www.microsoft.com/security/msrc/default.aspx
Apple
http://support.apple.com/kb/HT1318
https://ssl.apple.com/support/security/
Dropbox
https://www.dropbox.com/security
https://www.dropbox.com/special_thanks
http://code.reddit.com/wiki/help/whitehat
Github
https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities
Ifixit
http://www.ifixit.com/Info/responsible_disclosure
37 Signals
http://37signals.com/security-response
Twilio
http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html
Constant Contact
http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
Engine Yard
http://www.engineyard.com/legal/responsible-disclosure-policy
Lastpass
https://lastpass.com/support_security.php
RedHat
https://access.redhat.com/knowledge/articles/66234
Acquia
https://www.acquia.com/how-report-security-issue
Zynga
http://company.zynga.com/security/whitehats
Owncloud
http://owncloud.org/security/policy
http://owncloud.org/security/hall-of-fame
Tuenti
http://corporate.tuenti.com/en/dev/hall-of-fame
soundcloud:
http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure
Nokia Siemens Networks
http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure
Yandex Bug Bounty:
http://company.yandex.com/security/hall-of-fame.xml
