Wednesday, December 10, 2014

Bug Bounties And What Hackers Get Paid

I discovered https://hackerone.com recently. It's a platform companies can sign up for that gives them an avenue for researchers to disclose security vulnerabilities about their site along the lines of "responsible disclosure".

I was curious as to what vulnerabilities were published, and their amounts. Well, when a vulnerability is made public, hackerone puts it on their site with the amount on the same page. Having done network pentests for the last 4 years (professionally) it's hard not to lolwtfbbq at how easy/simple it is to identify some of the bugs listed, and a lot of them are paying out hundreds of dollars for what amounts to about 30 seconds of work.....i'm in the wrong business...

In any case, i've parsed through their public listing and compiled a list of links for people to read. At the time of this blog post, 240 vulnerabilities were publicly released:

https://hackerone.com/reports/38232
https://hackerone.com/reports/38170
https://hackerone.com/reports/37622
https://hackerone.com/reports/26935
https://hackerone.com/reports/32570
https://hackerone.com/reports/8846
https://hackerone.com/reports/33935
https://hackerone.com/reports/20873
https://hackerone.com/reports/36264
https://hackerone.com/reports/501
https://hackerone.com/reports/35102
https://hackerone.com/reports/33083
https://hackerone.com/reports/34112
https://hackerone.com/reports/32825
https://hackerone.com/reports/33091
https://hackerone.com/reports/31168
https://hackerone.com/reports/28832
https://hackerone.com/reports/29288
https://hackerone.com/reports/27357
https://hackerone.com/reports/31383
https://hackerone.com/reports/26527
https://hackerone.com/reports/29491
https://hackerone.com/reports/12497
https://hackerone.com/reports/27651
https://hackerone.com/reports/29360
https://hackerone.com/reports/29328
https://hackerone.com/reports/27704
https://hackerone.com/reports/29839
https://hackerone.com/reports/29480
https://hackerone.com/reports/29331
https://hackerone.com/reports/28865
https://hackerone.com/reports/18501
https://hackerone.com/reports/14552
https://hackerone.com/reports/28150
https://hackerone.com/reports/27987
https://hackerone.com/reports/27704
https://hackerone.com/reports/28450
https://hackerone.com/reports/28449
https://hackerone.com/reports/28445
https://hackerone.com/reports/15412
https://hackerone.com/reports/27404
https://hackerone.com/reports/27166
https://hackerone.com/reports/27511
https://hackerone.com/reports/27846
https://hackerone.com/reports/27389
https://hackerone.com/reports/26700
https://hackerone.com/reports/5314
https://hackerone.com/reports/26825
https://hackerone.com/reports/25332
https://hackerone.com/reports/25334
https://hackerone.com/reports/14631
https://hackerone.com/reports/17506
https://hackerone.com/reports/25281
https://hackerone.com/reports/23098
https://hackerone.com/reports/16414
https://hackerone.com/reports/15762
https://hackerone.com/reports/18507
https://hackerone.com/reports/25160
https://hackerone.com/reports/21110
https://hackerone.com/reports/12708
https://hackerone.com/reports/23386
https://hackerone.com/reports/10468
https://hackerone.com/reports/12583
https://hackerone.com/reports/23363
https://hackerone.com/reports/11414
https://hackerone.com/reports/18698
https://hackerone.com/reports/17160
https://hackerone.com/reports/21210
https://hackerone.com/reports/17474
https://hackerone.com/reports/22093
https://hackerone.com/reports/16330
https://hackerone.com/reports/6700
https://hackerone.com/reports/21069
https://hackerone.com/reports/17688
https://hackerone.com/reports/18279
https://hackerone.com/reports/21150
https://hackerone.com/reports/16568
https://hackerone.com/reports/8284
https://hackerone.com/reports/8281
https://hackerone.com/reports/7779
https://hackerone.com/reports/21248
https://hackerone.com/reports/15166
https://hackerone.com/reports/15852
https://hackerone.com/reports/14570
https://hackerone.com/reports/20861
https://hackerone.com/reports/20671
https://hackerone.com/reports/10373
https://hackerone.com/reports/7608
https://hackerone.com/reports/6665
https://hackerone.com/reports/10081
https://hackerone.com/reports/9919
https://hackerone.com/reports/9921
https://hackerone.com/reports/5442
https://hackerone.com/reports/6702
https://hackerone.com/reports/12685
https://hackerone.com/reports/2598
https://hackerone.com/reports/8082
https://hackerone.com/reports/13959
https://hackerone.com/reports/18851
https://hackerone.com/reports/18850
https://hackerone.com/reports/18849
https://hackerone.com/reports/18721
https://hackerone.com/reports/17903
https://hackerone.com/reports/18295
https://hackerone.com/reports/17909
https://hackerone.com/reports/17896
https://hackerone.com/reports/7264
https://hackerone.com/reports/18691
https://hackerone.com/reports/18389
https://hackerone.com/reports/6322
https://hackerone.com/reports/6268
https://hackerone.com/reports/6195
https://hackerone.com/reports/6194
https://hackerone.com/reports/14699
https://hackerone.com/reports/17540
https://hackerone.com/reports/17383
https://hackerone.com/reports/10563
https://hackerone.com/reports/13748
https://hackerone.com/reports/13388
https://hackerone.com/reports/15362
https://hackerone.com/reports/16718
https://hackerone.com/reports/16571
https://hackerone.com/reports/16392
https://hackerone.com/reports/16315
https://hackerone.com/reports/4461
https://hackerone.com/reports/2628
https://hackerone.com/reports/12588
https://hackerone.com/reports/11410
https://hackerone.com/reports/15785
https://hackerone.com/reports/7813
https://hackerone.com/reports/2168
https://hackerone.com/reports/1533
https://hackerone.com/reports/11927
https://hackerone.com/reports/13286
https://hackerone.com/reports/7266
https://hackerone.com/reports/11861
https://hackerone.com/reports/10554
https://hackerone.com/reports/1538
https://hackerone.com/reports/6704
https://hackerone.com/reports/10037
https://hackerone.com/reports/8724
https://hackerone.com/reports/9318
https://hackerone.com/reports/10829
https://hackerone.com/reports/6182
https://hackerone.com/reports/6674
https://hackerone.com/reports/4836
https://hackerone.com/reports/6353
https://hackerone.com/reports/10297
https://hackerone.com/reports/9774
https://hackerone.com/reports/7531
https://hackerone.com/reports/5933
https://hackerone.com/reports/7369
https://hackerone.com/reports/7357
https://hackerone.com/reports/6883
https://hackerone.com/reports/4256
https://hackerone.com/reports/9391
https://hackerone.com/reports/9375
https://hackerone.com/reports/5928
https://hackerone.com/reports/7803
https://hackerone.com/reports/2140
https://hackerone.com/reports/6877
https://hackerone.com/reports/7041
https://hackerone.com/reports/7036
https://hackerone.com/reports/6935
https://hackerone.com/reports/6350
https://hackerone.com/reports/2421
https://hackerone.com/reports/6907
https://hackerone.com/reports/6872
https://hackerone.com/reports/6871
https://hackerone.com/reports/7441
https://hackerone.com/reports/6910
https://hackerone.com/reports/7277
https://hackerone.com/reports/6884
https://hackerone.com/reports/7121
https://hackerone.com/reports/6626
https://hackerone.com/reports/6389
https://hackerone.com/reports/6380
https://hackerone.com/reports/5786
https://hackerone.com/reports/4561
https://hackerone.com/reports/3039
https://hackerone.com/reports/4409
https://hackerone.com/reports/2127
https://hackerone.com/reports/4690
https://hackerone.com/reports/4689
https://hackerone.com/reports/4638
https://hackerone.com/reports/3441
https://hackerone.com/reports/2427
https://hackerone.com/reports/3986
https://hackerone.com/reports/4114
https://hackerone.com/reports/3930
https://hackerone.com/reports/3921
https://hackerone.com/reports/2575
https://hackerone.com/reports/2559
https://hackerone.com/reports/3596
https://hackerone.com/reports/3227
https://hackerone.com/reports/1675
https://hackerone.com/reports/3455
https://hackerone.com/reports/2439
https://hackerone.com/reports/2735
https://hackerone.com/reports/3356
https://hackerone.com/reports/2777
https://hackerone.com/reports/2622
https://hackerone.com/reports/2617
https://hackerone.com/reports/2625
https://hackerone.com/reports/2652
https://hackerone.com/reports/2584
https://hackerone.com/reports/2221
https://hackerone.com/reports/914
https://hackerone.com/reports/2170
https://hackerone.com/reports/2245
https://hackerone.com/reports/2228
https://hackerone.com/reports/2233
https://hackerone.com/reports/2224
https://hackerone.com/reports/916
https://hackerone.com/reports/2107
https://hackerone.com/reports/2106
https://hackerone.com/reports/1509
https://hackerone.com/reports/1356
https://hackerone.com/reports/960
https://hackerone.com/reports/809
https://hackerone.com/reports/774
https://hackerone.com/reports/742
https://hackerone.com/reports/727
https://hackerone.com/reports/737
https://hackerone.com/reports/738
https://hackerone.com/reports/713
https://hackerone.com/reports/547
https://hackerone.com/reports/523
https://hackerone.com/reports/500
https://hackerone.com/reports/499
https://hackerone.com/reports/487
https://hackerone.com/reports/477
https://hackerone.com/reports/400
https://hackerone.com/reports/390
https://hackerone.com/reports/353
https://hackerone.com/reports/321
https://hackerone.com/reports/288
https://hackerone.com/reports/284
https://hackerone.com/reports/280
https://hackerone.com/reports/120