Everybody at HackerOne has the purpose of creating positive that hackers and enterprises are partnering along with excellence. The function of the Chief Hacking Officer at HackerOne is to help with this purpose, function a degree of escalation, and ensure we study from uncommon edge circumstances. And we actually have seen some attention-grabbing circumstances! We’ll have a look at six actual conditions that arose and the way we dealt with them to get the most effective consequence for each the hacker and buyer.
An essential a part of this work is making certain that packages throughout the HackerOne platform function constantly, giving each hackers and clients predictability and equity, based mostly on clear ideas and guidelines. To help this, now we have revealed our Best Practices For Programs. On this put up, we’ll recap what finest practices are after which have a look at six distinctive conditions that helped us to refine our documentation.
HackerOne paperwork our greatest practices and opinions and updates them recurrently, based mostly on hacker and buyer suggestions, in addition to drawing on the expertise of main bug bounty packages throughout the {industry}. These finest practices embrace practices that we count on all packages to stick to. There are additionally another practices that aren’t common, however the most effective packages are likely to comply with them. The first purpose of getting revealed finest practices is to make sure glorious outcomes for hackers and clients alike. Deal with hackers pretty and precisely, and also you’ll get extra engagement, remediate extra vulnerabilities, decrease your threat of breach, and attain a greater safety fame. Greatest practices give our Mediation team the instruments to resolve frequent conditions shortly. When a program deviates from a baseline expectation, the mediation turns into an academic be aware to this system. Or, when a program faces a finest observe that isn’t obligatory, however strongly advisable, HackerOne can advocate for a choice that we all know results in a win-win outcome.
HackerOne runs the most important vulnerability disclosure and bug bounty platform within the cybersecurity {industry}. We function at appreciable scale, having handled hundreds of thousands of studies and tons of of hundreds of impactful vulnerabilities. Given this, new edge circumstances are inevitable, however we prepare our Buyer Success, Neighborhood, Mediation, and the workplace of the Chief Hacking Officer to be able to deal with them. Because the Chief Hacking Officer, I get private satisfaction from helping in resolving particular person circumstances – in spite of everything, this typically means a hardworking hacker is being precisely rewarded for his or her efforts. Nevertheless, an important a part of the job is to ensure we study from the patterns within the particular person circumstances. The one solution to scale enhancements is to make modifications to insurance policies, processes, and documentation which are usable throughout all packages.
Hackers and clients alike could also be keen on some particular circumstances that the Workplace of the Chief Hacking Officer has dominated on over the previous yr. Most of those circumstances signify nice outcomes – which might be why you gained’t have heard of those. In any case, it’s extra frequent for individuals to write down about experiences after they’re sad. So we need to carry these optimistic examples to the sunshine of day.
Case 1: Not Having Absolutely Inclusive Bounty Tables Means A Important Vulnerability Might Go Unreported
A hacker reported a vulnerability in a site that was not a part of a bounty desk – corresponding to docs.buyer.com. The vulnerability, nevertheless, was clearly leaking inner database credentials for the core product. The client was uncertain whether or not to reward or not as a result of the area exhibiting the issue was not in a bounty desk.
Decision:
HackerOne Buyer Success labored with the shopper to elucidate that, whereas bounty tables are a helpful place to begin, they generally should not adequate for nuanced conditions. HackerOne advocates for the {industry} finest observe of “pay for value” with regards to figuring out rewards. This idea instantly resonated with the shopper, who realized that for the reason that vulnerability had an affect regarding the core product, they need to reward based mostly on the affect, and that the preliminary area was a purple herring. The client promptly rewarded in accordance with their principal www.buyer.com bounty desk, to the satisfaction of all concerned.
Observe:
Typically you’ll hear the phrase “out of scope” to explain domains that aren’t a part of a bounty desk. Clients must be extraordinarily cautious of declaring something out of scope. It’s typically a harmful thought. Bear in mind, the whole lot is in scope to a cybercriminal. To decrease your possibilities of a breach, we have to let the moral hackers go toe to toe with the criminals, and report something that has a safety affect.
Case 2: Failure To Reward For Third-Social gathering Points Could Expose You To A Breach
A hacker reported a critical vulnerability the place a retail big was in danger attributable to a important vulnerability in a third-party database part. The third occasion had launched a bulletin and patch a few days beforehand. In a contented flip of occasions, the shopper reached out for HackerOne skilled recommendation earlier than making a dedication. That is the most effective sort of mediation: one that’s solved earlier than it exists due to optimistic, proactive habits!
Decision:
HackerOne Buyer Success once more launched the “pay for value” mindset. When analyzing the worth inherent within the report, the shopper realized that their customary monitoring course of for making use of third occasion patches would take weeks. On condition that the vulnerability was the type of important concern that would result in a breach, the shopper patched inside a day (as a substitute of weeks), which was an consequence solely made doable by the hacker’s report. The report was rewarded $3,000.
Observe:
There’s a variety of variance in how completely different clients deal with studies for third occasion parts. Clients working a top-tier safety program and adhering to {industry} finest practices will at all times reward in circumstances the place a report causes them to take any motion, or speed up any motion.
Case 3: HackerOne Mis-characterized a Sure Sort of Denial-of-Service Report
A member of HackerOne’s Neighborhood staff escalated a case for Chief Hacking Officer consideration. A hacker had reported a Denial-of-Service class vulnerability and obtained a warning for “unsafe testing.”
Decision:
The HackerOne groups (Neighborhood, Triage, Chief Hacking Officer) collaborated to grasp the complete technicalities of the report. We discovered that it’s doable to soundly take a look at the particular vulnerability kind (a sort of cache poisoning), and the hacker had certainly examined safely. We carried out a collection of reparations, together with the removing of the “unsafe testing” be aware, and the correction of the bug’s standing to right the hacker’s fame. We assessed the report in opposition to the shopper’s configured bounty desk on the time of the report. We awarded $1,500 from HackerOne’s Make It Right fund. I additionally personally reached out to the hacker to apologize. Studying from errors is essential, so we improved our triage documentation and runbooks to ensure this vulnerability kind isn’t miscategorized sooner or later.
Case 4: Make the most of Trade Requirements To Make Ultimate Selections On Severity
A hacker raised a number of mediation requests regarding a program that was aggressively downgrading the severity and bounty quantities on a number of studies.
Decision:
Upon investigation, we did discover a sample of the shopper deviating from {industry} requirements round severity assignments. When this occurs, our first port of name is to have interaction with clients to grasp the state of affairs and interact in schooling as applicable. Training takes time, but when we will impact change in buyer habits, it’s higher for everybody. Future hackers shall be rewarded appropriately, and the shopper will achieve the advantages of stronger hacker engagement, subsequently decreasing their possibilities of experiencing a breach and avoiding getting a fame for doubtful safety. After an prolonged interval of engagement and schooling, the shopper corrected the studies and the hacker was rewarded within the order of $10,000 additional in bounties.
Case 5: Transparency and Integrity Builds Belief With Hackers
A hacker raised a basic mediation for a sequence of studies getting downgraded, and / or closed with shocking statuses. Upon investigation, a part of the problem was that the shopper was shocked {that a} low-priority asset was actually mapped as a subdomain of their principal scope and bounty desk.
Decision:
The client instantly modified their principal scope to exclude the subdomain. Nevertheless, it’s essential to notice that such modifications can’t be made retroactively. To shield the platform’s integrity, clients should honor any commitments made of their bounty tables. Everybody agreed that apart from being required, it’s also frequent decency. Nevertheless, disagreements nonetheless arose relating to the severity and duplicate standing of among the studies. Usually, such disagreements can be resolved with considerable transparency and detailed technical reasoning. Sadly, the discussions have been inconclusive. With a view to keep away from the hacker being out of pocket, HackerOne awarded over $15,000 from our Make It Proper fund. Whereas it could be simple to get enthusiastic about such a decision, we at all times see the usage of Make It Proper as a failure situation for all concerned. We at all times advocate that clients reward generously and magnanimously, as this results in higher buyer outcomes, extra engagement, extra safety, a greater fame, and happier hackers.
Case 6: Settle for Trade Requirements, corresponding to Coordinated Vulnerability Disclosure
In just a few situations, hackers have reported vulnerabilities to public packages the place the preliminary vulnerability submission is accompanied by an industry-standard coordinated vulnerability disclosure (CVD) requirement. Questions have arisen as as to whether it is a Code of Conduction violation.
Decision:
Reporting vulnerabilities the place the preliminary vulnerability submission is accompanied by an industry-standard coordinated vulnerability disclosure (CVD) requirement isn’t a Code of Conduct violation on a public program. Exercising industry-standard CVD on a public program is affordable. Within the occasion that this {industry} customary runs counter to a buyer coverage, it’s also cheap for a buyer to say no to reward a bounty, however unreasonable to have interaction in makes an attempt at recourse with an excellent religion hacker. That stated – we encourage clients to focus rewards solely on the affect of the data within the report. One in every of HackerOne’s tasks is to make sure that our platform avoids absurd outcomes. In a single occasion, a hacker noticed a buyer coverage that contained overly onerous and aggressive language. Accordingly, the hacker emailed the shopper as a substitute, to keep away from being tangled in any coverage or phrases and circumstances. Nevertheless, the safety e-mail handle was not correctly monitored, resulting in a languishing report, and thereby growing the shopper’s threat of compromise. We purpose to cut back prolonged delays by writing good insurance policies and supporting studies that decline customized insurance policies in favor of well-established {industry} requirements corresponding to Coordinated Vulnerability Disclosure.
In closing
So what can hackers and clients count on subsequent? We are going to proceed to study from each uncommon mediation case and fold what we study into insurance policies and externally dealing with documentation corresponding to our Best Practices page. For hackers, please proceed to impart your belief in our mediation course of and staff as we’ll give each state of affairs an unbiased and detailed evaluation, with our major purpose to at all times be a mutually useful consequence. Persevering with to make use of this course of will assist us to proceed to trace themes and develop our learnings.
As lined above, we break up finest practices into both baseline necessities, or robust suggestions to exhibit top-tier maturity. Hackers do desire mature packages, so we’re engaged on methods for packages to robustly sign to hackers (and clients, regulators, and insurance coverage suppliers!) that they decide to mature practices. For instance, see our Program Levels initiative.
Total, HackerOne’s tradition for working our platform is one in all steady enchancment. We’re grateful for all the suggestions we obtain from clients and hackers. Due to everybody who has collectively helped enhance our processes as we drive in the direction of a safer web. We’ve loved documenting among the issues we’ve discovered, and the way we’re making use of that information to scaleable enhancements going ahead.
Chris Evans
Chief Hacking Officer and CISO, HackerOne
Author: Chris Evans
Date: 2023-04-24 15:09:35
