A Bug Bounty program is great, because with the help of it, we can find things that have been “falling through the cracks”. We have throughout the program already received numerous vulnerability reports, most being XSS-vulnerabilities, so not very serious and they do require user interaction. We were more or less expecting these. However we’ve also received two much more serious reports. Below I will go through the first major bug that was found via our Bug Bounty program.
One of the hackers in the program found an RCE (Remote Code Execution) vulnerability CVS score 10.0. This is a very serious bug and in an effort of full disclosure we would like to show you how he found it and what we have learned and what you can learn from our experience.
Here is his report:
As you can see in the report the hacker proved the exploit by writing a file /tmp/pwnd that essentially proves that the exploit works and he could gain access to one of our servers. My colleague also checked the server in disbelief, only to find the file. This proof essentially means that according to our policy we would pay him a reward in the amount of $10,000. We consider this a pre-emptive insurance payment. If a malicious hacker would have found this and leaked our data online or sold it, the end-result would have potentially been much worse.
What we did
What we then did internally, is that we made sure we could replicate the exploit. And then created a fix for it, that we deployed to production the same day as an emergency fix. The fix was fairly simple:
Updating to PrimeFaces version 6.0 & setting the SECRET parameter fixes the issue.
The report and the findings are one thing and albeit unfortunate, they can be used as a learning experience.
What we learned
What we learned from this is that, in addition to creating secure code ourselves, we need make sure that we have a list of all third party libraries that we are using and make sure that we are following the security notifications on these libraries. We also have to make sure that all libraries are up to date and don’t include vulnerabilities. We had this process in place before, but due to certain circumstances it had been neglected since the start of this year.
So if you are developing applications and use third party libraries, make sure they are up to date. If they are not and they have vulnerabilities such as this you might encounter a breach and in 2018, after the EU data protection regulation is in effect, the fines for this types of breaches can be very large (up to 20,000,000€) and potentially bankrupt your company and hurt your company’s reputation enormously.
Our experience in the Bug Bounty program so far has been great. At first the developers were scared, but now they are excited. The hackers have shifted the attitudes of our developers towards security even more and it has been great seeing them being in awe of various reports.
So far we’ve had two major bugs and have paid out a total of $23,450 in bounties in a bit over a month. Here are our metrics
Thank you to all the hackers who are apart of our program and to the others who will soon join!
You help us be more secure!
Information Security Manager
Visma Enterprise Oy