Writing Vulnerability Reports that Maximize Your Bounty Payouts

to get things started a little about me I I’m the elderly director of the researcher procedures team here at bugcrowd which forms me conductor of a global red crew prior to this I labor at blackberry as an instant response speciman administrator I was responsible for procreating webcam in blackberry handheld maneuvers and in in the playbook I do a ton of data analysis I have previously done internet crime investigation and collaborated with law enforcement officials to set criminal hackers in in jail and my background is in behavioral psychology so I have a very diverse background I’ve been on both sides of the vulnerability reporting fence I have been at the customer who receives the vulnerability reports and plainly now today I am working with investigates who are fixing the vulnerability reports and these are some of the gratuities that I’ve learned through the last decade of event that I wanted to share with you today so first step read the reward gale whether it’s a prize brief or a disclosure program policy statement you want to read the prize sail the most important thing to get started is knowing what is in scope and what is out of scope and you could easily argue that everything should be in scope attacks don’t follow a bonu brief and that’s completely true historically investigates located vulnerabilities and they reported them to a vendor and they said that she hoped that the vendor would specify them and they hoped that the dealer would not come after them with legal menaces but there wasn’t really any sort of guaranteed anticipation there it was simply that researchers wanted to see the software it gets fastened and dealer started publishing their disclosure policies to make it clear if you do this in a non destructive way we predict not to come after you legally and so what’s important there is finding out what are their recommendations to to protect you and to make sure that you are testing in a way that is not going to damage their business and at the same time will help them secure their applications keep in mind that you know this is their decision on what you reward and some of what is driving that honor decision may be based on severity and priority and what’s most important to the business we care most about our concoctions more than say our website could potentially be a priority located decision that could drive remunerations it could also drive what’s determined to be in or out of scope it could also be functionally a budget issue particularly in large-scale fellowships which produce multiple makes one product unit may have budget to run a fault prize while another product squad chooses to spend that budget in other areas to enhance their security and so you know that’s another reason that a recompense of brief is going to tell you what is reinforced and what is outside of reward scope doesn’t mean you can’t still report those out of scope vulnerabilities to the vendor but it’s not a payoff progressed ulnar ability and that’s just something be taken into consideration the neat thing about a prize brief is its positioning possibilities up front and so when you when you look through that and you identify okay they honor for this they don’t honor for that if you find a vulnerability and an honor awardable asset it’s it’s entirely your call on what to do with that of course we would recommend that you report that to the customer so that they can patch that time do so knowing it’s not payoff about another thing that sometimes comes up with remit any debates and other remit debate is if you know if I report something to a company and I report it through a reward platform and it’s out of scope can I run disclose it now since I wasn’t rewarded for it and we’ve recently done a few blog berths talking about defect audiences disclosure plan and how it applies to all submissions through bugcrowd so if you have a vulnerability that you know is out of scope and you want to report it to the vendor and you likewise want to retain the rights to publish information about that vulnerability in the future I would encourage you to report that directly to the customer poems through their recompense platform since formerly it’s submitted through the bugcrowd pulpit it is subject to the bugcrowd disclosure policy and in the slips which is available for consultation as handouts you I have links in there to give you additional information about the best interests of the a bounty brief and our disclosure programmes the second largest step is understand the impact of the vulnerability you’re reporting now you notice I’m not telling you how did you testing how to identify vulnerabilities how to how to scold alidade them I’m assuming that if you’re sitting in this webinar today you know how to pend measures you know how to find vulnerabilities the the deception is taking that technical knowledge and technical skill and changing it into the written report and so knowing what kind of vulnerability you’ve experienced is important communicating the impact of the vulnerability is even more important whether it’s cross-site scripting or sequel injection what’s really important is does it allow remote code implementation is it an elevation of privilege is it information disclosure what is the security impact of that vulnerability because the impact is what drives the severity rating which is in our vulnerability rating taxonomy the VRT which is you know P 1 P 2 P 3 P 4 and then in the best practice and won’t repair category of P 5 so all of those harshnes decisions are driven based on the impact of the vulnerability and the impact of the vulnerability the seriousness is what decides how much you get paid out so I personally recommend accustoming yourself with the stride mannequin there are other impact modelings out the dred pattern is commonly used I particularly like stride because it it clothes all the major categories apparently and you get moving tampering reversal message disclosure repudiation of service and elevation of cribbage covered in a neat little acronym that’s easy to remember now raising of advantage and Disclosure are going to be the two highest harshnes ones that you’ll commonly insure and most reward planneds will not consider network denial of service vulnerabilities to be honored so again combined with the prize brief and understanding the step sit or an impact model and being able to explain to the person speak your vulnerability report this is a bosch top ten bug is great being able to say this is an OS top ten bug that has this impact to your consumers is even more useful for the person who’s having to triage and read your vulnerability reports it’s also incredibly helpful for the developer who then receives the vulnerability report to understand why it was prioritized the mode it was so here’s an example of affect is is more more of a motorist for seriousnes than the vulnerability type we’ve received a submission and it says create an application account go to the dashboard and click on the functionality enter all the details there’s a constant announced call at the end of the functionality enter the JavaScript payload and you can see the pop up this is a valid cross-site scripting vulnerability and it ensues in altitude advantage but it’s low-grade priority and so you could argue why is this low priority well this is a low-grade priority because the attacker has social engineered the victim to install code on their own system and if you can do that if you can overcome that significant obstruction to exploitation and getting a user to install code there’s a whole lot of ghastly nonsense that you were able to do this is not remotely exploitable has very high complexity and very major interaction and so while the impact is an elevation of privilege when you dig into it the actual impact to the user and the impact to the application developers is fairly low the work makes can’t thwart a user from positioning code on their organization they can utterly do some things to prevent the cross-site scripting vulnerability that’s happening here but the attacker clearly could get the user to install other code just as easily so this one intents up being low severity so too a reason it’s low severity is it’s a one at a time attack so you’re not being able to exploit large groups of users all at the same time it doesn’t feign numerous consumers and it doesn’t affect arrangement unity so again lower blow then if it were remotely exploitable and changed multiple tradition numerou consumers the third piece of advice that I have is including proof of concept coming a scan result is not enough signal an outdated library that has known CDEs not enough you is first necessary to corroborate that the application is actually exploitable you know if something’s using an outdated library and it has known CVEs you have to show that those CVEs can be manipulated in its implementation now be careful in your POCs don’t take down an app you know sometimes it inadvertently happens but be careful about your testing don’t take one vulnerability and then swivel it to see what else can you go and compromise exploiting that vulnerability if you ever questioned should I try to exploit this my recommendation is to submit the bug and say I’d like to proof of concept this you know may I moving forward with that it’s entirely possible that the customer will say here let me stand up a test environment for you to POC and or they they may say you know what can you devote us your your POC and we’ll depart run it in an attempt to do that in a more secure and little business affecting room so by all means have those discussions with the customer and with the specialists that are validating the submission but don’t expect that just saying there’s an outdated library is going to be adequate because it’s very possible that they aren’t abusing elements of that library hence the known CDEs don’t actually jolt them it all depends on how they’ve architected their application and what factors they’re using another important thing about your proof-of-concept is if you do a proof-of-concept video or write proof of concept code sample be sure to share those samples securely don’t don’t share them on youtube even if it’s an unlisted YouTube don’t do that because you’re sharing vulnerability data and you just wanted to do that in the most secure way possible ideally through encrypted communication password care be sure to upload it with your vulnerability submission on the bugcrowd pulpit if you’re is directly responsible to a vendor get their PGP keys and email it to them in a lock fashion and then the the other thing that’s important about a proof of concept is that you’re explaining the attack scenario and and it’s as simple as three convicts attack does X the victim does y and that may be nothing victim doesn’t do of anything but maybe they have to click something or go to a web site and the attacker can now do Z I have realized time and time again you have a list of vulnerabilities as a make and maybe there are all critical vulnerabilities maybe there’s several buffer overwrites and there’s a few heap dishonesties and what’s really important in shape the health risks decision of what to fix first so the developer is what mitigations becomes available what does the attack scenario was like if one of those buffer overwrites has no mitigation and the only thing that a user can do is not use their browser and merely predict email in plateau textbook format then that needs to be fixed quite quickly versus if there’s mitigations in place that defend against the vulnerability so be sure to include your onrush scenario in the in the vulnerability report so here are a few misstep that I’ve seen and these are actual vulnerabilities that we’ve received at bugcrowd and the first misconception I want to talk about is the reproduction steps and the attack scenario are incomplete and ambiguous so in this instance this is what we had submitted and an attacker appoints a forgery report and alterations his email the email evidence join can now be used to log in someone to the fake account and then monitor actions performed by the victim or even treated with him and so the person who wrote this who went through the investigation work to find the vulnerability and see how it could be manipulated this acquires ended ability to them but to someone who’s reading it for the first time there’s a whole lot of detail missing so what does that was like and this is probably gonna get rich to the researcher as invalid or at least pushed back and told we need a lot more detail this is not clear enough for us to authorize an attacker forms a fake report what kind of account are they creating a user account and do they need to be an admin to do this are they like there’s not enough information about what kind of account the user has and what are they creating and alterations his email but but what are they changing it – are they changing it to the victims email or are they changing it to some other email it’s really doubtful what that email alteration does the email affirmation tie can now be used okay by him to log in someone okay are we talking about entering in the I’m assuming we’re talking about entering in the victim into the fake account okay but why would the victim do this and then the attacker can observe specific actions performed by the victim or even treated with them so it’s all super unsure what’s happening here precisely is the attacker viewing the victims acts why would the victim have logged into the forge accounting or is it that the attacker is entering in on behalf of the victim so there’s a lot of detail that would have saved and the validation of this vulnerability if it’s been provided upfront to clarify the you know expected behavior and the mentioned action and here’s what the attacker is doing here’s what the user is doing just a lot more clarity and this would therefore be confirmed a lot faster another blunder I’ve seen is situations that require or vulnerabilities that require another vulnerability to exploit at first and before I get into this specific example I want to be really clear that vary vulnerabilities are a legitimate issue and we absolutely love to see when every investigate defers a vulnerability that your data is not encrypted at rest and here on the other hand I’ve acquire an report disclosure of vulnerability and when I compound these two I have that intelligence disclosure of unencrypted data which includes passwords and now I have an elevation of advantage so there are two separate vulnerabilities that can be series together this happens on a you know it happens in the real world it is a real world threat it is complex it is severe the mistakes I’m talking about are are not those so suppose I’m an attacker and the users browser is accommodation or I got access to the recovery email everything after that is not a vulnerability in the web application because it requires that the users previously owned in some manner and the web application developer that the person who’s receiving that vulnerability report cannot defend against a user’s browser being compromised they they can’t succeed for the health risks and so there’s not a whole lot they’re going to be able to do in their application to prevent that and so while the report may recommend a legitimate protection assessment rule that would help mitigate risk when a user’s computer is owned best practices are often unrewarded Alinta programs so while you’re certainly welcome to submit that and get that advice off to the tomber it’s often unrewarded all and if you refer a great deal of best patterns that can hurt your overall act metrics and bonu platforms so we would generally recommend focusing your efforts on higher severity submissions and if you’re reporting a best practice nature vulnerability ideally you’re going to chain that like I has already mentioned with say an knowledge disclosure where they can be used in conjunction to have higher impact together and then those will be assessed accordingly another gaffe I’ve seen is the exploit impact being unsure so in this example what was submitted is an attacker is just required to send an email confirmation link to the victim and he’ll be automatically logged into his attackers account I can then monitor his actions and interact but I’m not clear on the exploit bang because I’ve just committed my detail as the attacker I merely generated my note information to the victim and the victim when they log in they’re gonna log into my accounting so I can check their actions and interact with them but they’re taken any steps on my detail I’ve just accommodation myself and so while this may be unintended behavior and this may be something that the developers want to fix at some top in time it is not a critical vulnerability because it’s really iffy what the attacker gains through this and there’s elaborated social engineering involved so so again this is this is one where understanding your exploit impact beyond just knowing you’ve experience a flaw or or perhaps unattractive behavior is really helpful and the fourth example we have today of a mistake I’ve seen is that candidly it’s simply not a vulnerability it may be intended action and you can’t always know what the planned demeanor of an application is and sometimes you know what one developer would call a vulnerability another developer would call a feature but this particular example an lotion allows its users to change their username and this was submitted as an chronicle identify merger so the example says theorize Kimberly alterations let’s say I changed my username to Kimberly one but Payton decides she’s gonna go hijack my username Kimberly and she’s gonna start using it on her Linkedin and she’s going to sort of steal my username identity but the reality is I gave up that username so that’s aimed functionality I should be able to change my username from Kimberly to anything I want that isn’t already in use by somebody else and and that’s a voluntary username modification and formerly I open a epithet up I no longer retain that anyone else can go take it and so at the end of the day this is intended functionality for a user to be able to change their username now if Payton could somehow cause the application to reset my username so that she could take it that would perfectly be an attack and that would perfectly be a vulnerability where I didn’t freely give up my username so again only another example of thinking about the impact and is this really a vulnerability or by design functionality so as I said having the ability to change it without customer cooperation that would be a vulnerability and we are to be able utterly reward that but not if I reformed it on my own so so in summary you know my three large-hearted sections of opinion are read your reward brief so that you concentrates on reward above ulnar abilities they can help you center your efforts on the things that will be paid at the highest rates and evaded you expend hour testing something that turns out to be out of scope we don’t want any to use tons of era on things the hell is unrewarded that’s that’s always actually exasperating for everybody involved you know for you to have done all this great work and then find out it’s a nun wage above ulnar ability so be sure to read the prize brief communicate jolt of the vulnerability and you are well aware I mention the stride modeling it’s my personal preference but if you prefer the terrifying sit if if you you know if there’s another pattern you want to use to communicate vulnerability the impact that’s great just be sure you understand not just the glitch type but the impact and the third piece of advice is verify your findings and provide your proof of concept and attack scenarios so that it’s really clear when private developers are trying to prioritize multiple vulnerabilities and figure out which one should we fix first they’ve got a really compelling real-world scenario that becomes them say oh gosh yeah okay this is a problem we have to go fix this right now and it stimulates it more visceral for them beyond time understanding this is a insecure direct object reference so those are those are my three large-scale cases of admonition so thank you for coming in for your time today and I hope this was useful feel free to join in the conversation on the bugcrowd gathering or you know chat with us on call

Comments are closed.