Bug bounty program: Difference between revisions

Bug bounty programs are programs sponsored by various websites to encourage users to report software bugs discovered during usage of the website. Such programs have been implemented by Facebook, Yahoo! and Google,^[1] among others.

Bug bounty programs are activities performed by websites to protect themselves by hackers famous social sites like facebook,yahoo,google makes this type of actions. A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's source code or its design, or in frameworks and operating systems used by such programs, and a few are caused by compilers producing incorrect code. A program that contains a large number of bugs, and/or bugs that seriously interfere with its functionality, is said to be buggy. Reports detailing bugs in a program are commonly known as bug reports, defect reports, fault reports, problem reports, trouble reports, change requests, and so forth.

Introduction

Bugs trigger errors that can in turn have a wide variety of ripple effects, with varying levels of inconvenience to the user of the program. Some bugs have only a subtle effect on the program's functionality, and may thus lie undetected for a long time. More serious bugs may cause the program to crash or freeze. Others qualify as security bugs and might for example enable a malicious user to bypass access controls in order to obtain unauthorized privileges. The results of bugs may be extremely serious. Bugs in the code controlling the Therac-25 radiation therapy machine were directly responsible for some patient deaths in the 1980s.^{[citation needed]} In 1996, the European Space Agency's US$1 billion prototype Ariane 5 rocket had to be destroyed less than a minute after launch, due to a bug in the on-board guidance computer program.^{[citation needed]} In June 1994, a Royal Air Force Chinook crashed into the Mull of Kintyre, killing 29. This was initially dismissed as pilot error, but an investigation by Computer Weekly uncovered sufficient evidence to convince a House of Lords inquiry that it may have been caused by a software bug in the aircraft's engine control computer.^{[citation needed]}

History

In 2002, a study commissioned by the US Department of Commerce' National Institute of Standards and Technology concluded that "software bugs, or errors, are so prevalent and so detrimental that they cost the US economy an estimated $59 billion annually, or about 0.6 percent of the gross domestic product".^{[citation needed]}

In 2013, an information science expert from Palestine used an exploit to post a letter on the Facebook timeline of site founder Mark Zuckerberg. According to the hacker, he had tried to report the vulnerability using Facebook's bug bounty program, but the response team told him that his vulnerability was not actually a bug.^[2]

BUG BOUNTY PROGRAMS

Bug bounty programs are activities performed by websites to protect themselves by hackers famous social sites like facebook,yahoo,google makes this type of actions.

A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's source code or its design, or in frameworks and operating systems used by such programs, and a few are caused by compilers producing incorrect code. A program that contains a large number of bugs, and/or bugs that seriously interfere with its functionality, is said to be buggy. Reports detailing bugs in a program are commonly known as bug reports, defect reports, fault reports, problem reports, trouble reports, change requests, and so forth. Bugs trigger errors that can in turn have a wide variety of ripple effects, with varying levels of inconvenience to the user of the program. Some bugs have only a subtle effect on the program's functionality, and may thus lie undetected for a long time. More serious bugs may cause the program to crash or freeze. Others qualify as security bugs and might for example enable a malicious user to bypass access controls in order to obtain unauthorized privileges. The results of bugs may be extremely serious. Bugs in the code controlling the Therac-25 radiation therapy machine were directly responsible for some patient deaths in the 1980s. In 1996, the European Space Agency's US$1 billion prototype Ariane 5 rocket had to be destroyed less than a minute after launch, due to a bug in the on-board guidance computer program. In June 1994, a Royal Air Force Chinook crashed into the Mull of Kintyre, killing 29. This was initially dismissed as pilot error, but an investigation by Computer Weekly uncovered sufficient evidence to convince a House of Lords inquiry that it may have been caused by a software bug in the aircraft's engine control computer. In 2002, a study commissioned by the US Department of Commerce' National Institute of Standards and Technology concluded that "software bugs, or errors, are so prevalent and so detrimental that they cost the US economy an estimated $59 billion annually, or about 0.6 percent of the gross domestic product".

USE OF BUG

Use of the term "bug" to describe inexplicable defects has been a part of engineering jargon for many decades and pre-dates computers and computer software; it may have originally been used in hardware engineering to describe mechanical malfunctions. For instance, Thomas Edison wrote the following words in a letter to an associate in 1878: It has been just so in all of my inventions. The first step is an intuition, and comes with a burst, then difficulties arise — this thing gives out and [it is] then that "Bugs" — as such little faults and difficulties are called — show themselves and months of intense watching, study and labor are requisite before commercial success or failure is certainly reached. Baffle Ball, the first mechanical pinball game, was advertised as being "free of bugs" in 1931. Problems with military gear during World War II were referred to as bugs (or glitches).

A page from the Harvard Mark II electromechanical computer's log, featuring a dead moth that was removed from the device The term "bug" was used in an account by computer pioneer Grace Hopper, who publicized the cause of a malfunction in an early electromechanical computer. A typical version of the story is given by this quote: In 1946, when Hopper was released from active duty, she joined the Harvard Faculty at the Computation Laboratory where she continued her work on the Mark II and Mark III. Operators traced an error in the Mark II to a moth trapped in a relay, coining the term bug. This bug was carefully removed and taped to the log book. Stemming from the first bug, today we call errors or glitch's [sic] in a program a bug. Hopper was not actually the one who found the insect, as she readily acknowledged. The date in the log book was September 9, 1947, although sometimes erroneously reported as 1945. The operators who did find it, including William "Bill" Burke, later of the Naval Weapons Laboratory, Dahlgren, Virginia, were familiar with the engineering term and, amused, kept the insect with the notation "First actual case of bug being found." Hopper loved to recount the story. This log book, complete with attached moth, is part of the collection of the Smithsonian National Museum of American History, though it is not currently on display. While it is certain that the Harvard Mark II operators did not coin the term "bug", it has been suggested[by whom?] that the incident contributed to the widespread use and acceptance of the term within the computer software lexicon. The related term "debug" also appears to predate its usage in computing: the Oxford English Dictionary's etymology of the word contain.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include—

1. Cross-site scripting
2. Cross-site request forgery
3. Mixed-content scripts
4. Authentication flaws or authorization flaws
5. Server-side code execution bugs.

Note that the scope of the program is limited to technical vulnerabilities in Google-owned web applications and browser extensions; please do not try to sneak into Google offices, attempt phishing attacks against our employees, and so on.

Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, and do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.

CONDTIONS FOR BUG BOUNTY PROGRAMS

1. Bugs that have already been submitted by another user or that site already aware of is not considered.
2. Bugs in applications not listed under Open bounties are generally not eligible.
3. Vulnerabilities that website determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.
4. Scripting or other automation and brute forcing of intended functionality is not taken in to consideration.

References

1. "Vulnerability Assessment Reward Program". Google. Retrieved 11 March 2014.
2. "Hacker posts Facebook bug report on Zuckerberg's wall". RT. 18 August 2013. Retrieved 11 March 2014.