Expert Opinion: Bug Bounties

Table of Contents

Distinguish between white, gray and black hat hackers

A hacker is generally defined as someone who breaks into computer systems with malicious intent. But is that always the case, or are some hackers different from others? Is there maybe even something like a hacker code? There are big differences, especially when it comes to dealing with disclosures, i.e. the disclosure of vulnerabilities

Vulnerability Disclosure

After a security gap becomes known, the discoverer has various options to deal with it: Disclosure can take place in a variety of ways. So choose ethical Chippers especially in coordinated disclosures, where the goal is responsible disclosure of the vulnerability.

The discoverer informs the manufacturer about his find and initially gives little or no information to the public. Most of the time, only the existence and, if applicable, the type of a security gap in a product is pointed out. Ethical hackers always use this type of release.

In addition to coordinated disclosures, there is also the possibility of non-disclosures, in which the weak spot will not be published. These disclosures are used, for example, by secret services. An example of this disclosure is the vulnerability "Eternalblue', which has long been used by the NSA without being known to the public. It was later published in the form of a full disclosure by a hacker group that had previously hacked the NSA, with all the details and proof of concept, and under the name WannaCry famous.

Should we test you?
Vulnerability analysis for your company too!
Inquire now

Applying for a CVE number

No matter what type of public disclosure the discoverer of the vulnerability chooses, an essential step is to apply for one CVE-Number. Vulnerabilities are addressed with one CVSS currently calculated in version 3. Depending on the score, the vulnerability is classified as high (10,0 to 7,5), middle (7,4 - 5,0) and low (4,9-1). Above all, the exploitability and the impact are evaluated. If the affected manufacturer does not provide a patch after a period of time, ethical considerations must be made as to how the security gap should be dealt with.

If the manufacturer does not react after repeated contact attempts, the ethical hacker makes all findings available to the public. He thus warns the public of the vulnerability of the software or the product.

If the vulnerability is disclosed (to the public), ethical hackers will try to minimize the damage. Therefore, with the help of the manufacturer, they try to provide a patch or a solution as quickly as possible. Ethical hackers thus move in constant alternation between gray hat and white hat guidelines.

 

More Consequences

This can also have further consequences, since for the company or the institution in the SOC it is not clear whether it is a "malicious" attack or a "well-intentioned" investigation. This question of differentiation should not arise either, since every attack can basically constitute a criminal offence. The consequences for a company that is well positioned in terms of IT security could even result in a report, since, as mentioned above, no real distinction can be made, which is why attacks that were not communicated and commissioned by penetration tests are often reported.

It is particularly difficult to determine the budget for the program. If several vulnerabilities are found, it can certainly exceed the budget. There is often no regulation on this in current bug bounty programs.

While large companies or corporations in particular issue bug bounties, it is certainly not easy for a medium-sized company to finance it, since the costs are usually difficult to calculate. Despite all of this, bug bounty programs are certainly a good approach to supporting those who identify vulnerabilities and rewarding them with public recognition for their contributions. For researchers, this results in an alternative to the black market. Zero-day exploits tend to be traded less on the black market, since there is the possibility of material remuneration from the manufacturer.

Ethical behavior in penetration testing

In penetration testing (commissioned hacking), which is practiced by the professional field of penetration testers, it often happens that data is captured that is ethically reprehensible or legally punishable under certain circumstances or constitutes an administrative offence. In case of doubt, every penetration tester should consult a lawyer to decide whether something should be reported. It should also be considered when criminal offenses and administrative offenses are reported to the client or reported. In the case of sensitive and private topics, every penetration tester must consider whether the emotional damage to the person concerned is greater than the importance of the finding.

For example:

"Only one finding was found during a penetration test: the log-in data of a managing director's e-mail account. It makes sense for a penetration tester to look for further login data in the mailbox. Here, the pentester then finds information about a legal dispute with the ex-wife and custody issues - a sensitive topic. In the presentation, the managing director concerned said cheerfully, "that's not a problem at all, there was nothing sensitive in his e-mail inbox, it was in another account." The question every penetration tester should ask themselves is how and if they address this issue.

Newsletter Form

Become a Cyber ​​Security Insider

Get early access and exclusive content!


OTHER CONTRIBUTIONS

Table of Contents

PSN_KU_Cover
NewsLetter Form Pop Up New

Become a Cyber ​​Security Insider

Subscribe to our knowledge base and get:

Early access to new blog posts
Exclusive content
Regular updates on industry trends and best practices


Please accept the cookies at the bottom of this page to be able to submit the form!