--- id: security-bug-bounty title: Bug Bounty — Program / Triage / Pay category: Coding status: draft source_trust_level: B verification_status: conceptual created_at: 2026-05-09 updated_at: 2026-05-09 tags: [security, bug-bounty, vibe-coding] tech_stack: { language: "Process", applicable_to: ["Security"] } applied_in: [] aliases: [bug bounty, HackerOne, Bugcrowd, vulnerability disclosure, VDP, responsible disclosure] --- # Bug Bounty > 외부 researcher 가 vulnerability 발견 → reward. **HackerOne / Bugcrowd / 자체**. Cost vs benefit. Internal team + bug bounty + external pen test = defense in depth. ## 📖 핵심 개념 - Program: scope + rules + reward. - VDP: Vulnerability Disclosure Policy (no reward). - Bug bounty: VDP + reward. - Triage: severity + valid? ## 💻 코드 패턴 ### VDP (basic, free) ```markdown # Vulnerability Disclosure Policy We welcome security research. ## Scope - *.example.com (production) - Mobile apps - API endpoints ## Out of scope - Third-party services - Social engineering - Physical attacks - DoS ## Rules - No data exfiltration beyond proof - No service disruption - Provide reasonable disclosure time (90 days) ## Report security@example.com PGP: ## Recognition Hall of Fame for valid reports. No monetary reward (this is VDP). ``` → Free. 작은 회사 시작. ### Bug bounty program (paid) ```markdown # Bug Bounty ## Scope - *.example.com (prod) - iOS / Android apps - API (api.example.com) ## Out of scope - *.dev.example.com - Third-party SaaS - DoS / DDoS - Social engineering - Physical attacks ## Rewards (CVSS-based) - Critical (9.0+): $5,000 - High (7.0-8.9): $1,500 - Medium (4.0-6.9): $500 - Low (0.1-3.9): $100 ## Eligibility - First reporter wins - Must include reproduction - No public disclosure before fix ## Submit HackerOne: https://hackerone.com/example Direct: security@example.com (PGP encrypted) ``` ### HackerOne setup ``` 1. Account create 2. Program create (private 또는 public) 3. Define scope (asset) 4. Set bounty range 5. Configure triage workflow 6. Onboard internal team → HackerOne 가 triage tier 제공 (cost). ``` ### Bugcrowd ``` HackerOne 와 비슷. "Crowdcontrol" platform. Researcher community 다름. ``` ### 자체 program (internal / hosted) ``` Pros: - Direct relationship - Cheaper - Custom workflow Cons: - Researcher discovery 어려움 - Triage burden - Payment / tax handling ``` → 큰 organization 만 권장. ### Triage process ``` 1. Receive report (24h ack) 2. Reproduce 3. Severity (CVSS) 4. Valid? (in-scope, novel, working) 5. Reward decision 6. Fix 7. Verify fix with reporter 8. Pay + close 9. Public disclosure (옵션) ``` ### Severity (CVSS calculator) ``` Vector: - Attack vector: Network / Adjacent / Local / Physical - Complexity: Low / High - Privileges: None / Low / High - User interaction: None / Required - Scope: Unchanged / Changed - Confidentiality / Integrity / Availability impact Score: 0-10 ``` → cvssjs.org / nvd.nist.gov calculator. ### Common reports ``` Critical: - RCE (Remote Code Execution) - SQL injection (큰 data) - Authentication bypass - IDOR (sensitive) High: - Stored XSS - SSRF - Privilege escalation Medium: - Reflected XSS - CSRF (sensitive) - Information disclosure (PII) Low: - Self XSS - Missing security headers - Outdated library (no exploit) Informational (no reward): - Best practice - Lack of header ``` ### Duplicate detection ``` 같은 issue 여러 reporter: - 첫 reporter wins - 후속 = "Duplicate" (no reward 또는 작음) - Public 의 program 가 자주. ``` ### Out-of-scope handling ``` 정중 reject: "Thanks for your report. This is out of scope ([reason]). We don't accept reports for this — please refer to our scope. However, we appreciate your effort." 너무 strict 하면 — 좋은 researcher 잃음. ``` ### Researcher relationship ``` Good researcher: - Detailed report - PoC (proof of concept) - Suggested fix - Patient Bad researcher: - Spam (low quality) - Threatening (public disclosure) - Begging - 불완전 report → Good 가 valuable. Bad 가 대부분. ``` ### Internal cost ``` Triage time (per report): - Read + reproduce: 30 min - 4 hour - Severity assess: 30 min - Communicate: 30 min - Fix: variable → 1 person 가 full-time triage 가능. ``` ### ROI ``` Bug bounty $: - Setup: $0 (HackerOne base) - Bounty 지급: $0-100K / year (작은-중간) - Triage cost: $50-200K / year (1 FTE) Discovery: - 큰 vulnerability prevent (cost = 사고 X $$) - Attack surface 측정 - 외부 perspective → 큰 organization (security-critical) 가치. ``` ### Disclosure ``` Coordinated: 1. Reporter → vendor private 2. Vendor fix (90 days) 3. Public disclosure (after fix) 4. Researcher 가 publicly recognize Forced: - Vendor 가 무시 → researcher 가 public - Industry pressure ``` ### Public disclosure (after fix) ``` Researcher writeup blog: - 유익 (다른 researcher 학습) - 회사 brand 영향 (transparency) - CVE assignment 가능 Company 가 publish: - Acknowledge - Fix detail (high-level) - Mitigation ``` ### Internal vs external bug bounty ``` Internal hackathon: - 회사 employees 가 bug 발견 - 작은 reward - Team building External bug bounty: - Public researcher - 큰 reward - 깊은 외부 시각 ``` → 둘 다. ### Legal ``` Safe Harbor: - Researcher 가 program rules follow 시 = no legal action - 명시 (program page 안) - DMCA / CFAA 면제 → Researcher 가 안 felt threatened. ``` ```markdown ## Safe Harbor We will not pursue legal action against researchers who: - Comply with program rules - Make a good-faith effort to avoid disrupting service - Don't access data beyond proof of concept - Provide reasonable time for fix ``` ### CVE assignment ``` 큰 vulnerability: - CVE-2026-XXXXX number - NVD database - 공개 reference → Researcher 가 자랑 + public learning. ``` ### Top researcher 의 motivation ``` 1. 돈 (큰 reward) 2. 명성 (recognition, CVE) 3. 학습 (real-world target) 4. 즐거움 (puzzle) 5. Mission (better internet) → Reward 만 X. 좋은 program. ``` ### Hall of Fame ```markdown # Security Researchers Thanks to the following for responsible disclosure: ## 2026 - @researcher1 — Critical RCE - @researcher2 — Authentication bypass - @researcher3 — Stored XSS ## 2025 ... ``` → Public recognition. Free + valuable. ### Program maturity ``` Phase 1: VDP only (no reward) Phase 2: Private bug bounty (invite-only) Phase 3: Public bug bounty Phase 4: Continuous + multiple platform → 점진 grow. ``` ### Common 함정 ``` - Scope 너무 큼 (모든 거 in-scope) — noise - Reward 너무 적음 — quality 낮음 - Triage 늦음 — researcher 잃음 - Communication 명확 X - Duplicate handling 불공정 - Out-of-scope 가 unclear ``` ### Vendor 의 mindset ``` "우리 가 보안 잘 함 — bug bounty 안 필요" → 잘못. "Bug bounty 가 비싸" → ROI 측정. "Researcher 가 우리 attack" → 그들 가 도움. → Researcher = ally, not enemy. ``` ### Modern best practice ``` 1. SDLC 안 security (shift left) 2. Internal pen test (quarterly) 3. External pen test (annual) 4. Bug bounty (continuous) 5. Threat modeling (큰 feature) 6. Security training (모든 dev) ``` → Defense in depth. ### Tools (vendor side) ``` - HackerOne / Bugcrowd / Intigriti / YesWeHack - Triage SaaS (포함) - Internal: Slack + Jira + GitHub 자체: - Email (security@) - PGP key - Vulnerability tracking system ``` ### Duplicate / informational handling ``` Polite + clear: "Thanks for the report. This was previously reported by [hash/anonymous]. We don't reward duplicates, but we appreciate the effort. Hall of Fame eligible? [yes/no based on quality]" ``` ### Stuck reports ``` Triage backlog: - 30+ open reports - New researcher 가 frustrated 해결: - Add triage capacity - Auto-close low quality - Internal SLA (14 day acknowledge) ``` ### Yearly stats (good practice) ```markdown # 2026 Bug Bounty Report - Reports received: 423 - Valid: 87 (21%) - Critical: 3 - High: 12 - Medium: 31 - Low: 41 - Total payout: $58,400 - Avg time to triage: 2.3 days - Avg time to fix: 14 days Top researchers: 1. @x — 12 valid reports 2. @y — 8 ... ``` → Transparency + community trust. ### Hire researchers ``` 좋은 bug bounty researcher = 좋은 internal security engineer. Top reporter 에게 직접 job offer. → Talent pipeline. ``` ## 🤔 의사결정 기준 | 회사 단계 | 추천 | |---|---| | Startup (early) | VDP only | | 작은 SaaS | Private bounty (invite) | | Mid-size | Public bounty (HackerOne) | | Enterprise | Multi-platform + internal | | Compliance critical | + Annual external pen test | ## ❌ 안티패턴 - **Pay denial 후 disclosure 위협**: bad faith. - **Triage 매우 늦음**: researcher 잃음. - **Scope 명확 X**: 분쟁. - **Legal threat researcher**: PR disaster. - **Reward 너무 적음**: low quality. - **Internal team 가 bounty 받음 (employee)**: conflict of interest. - **Public 의 researcher list 무**: motivation 적음. ## 🤖 LLM 활용 힌트 - HackerOne / Bugcrowd 가 빠른 시작. - Safe Harbor 명시 — legal 보호. - Triage SLA + transparency. - Researcher = ally. ## 🔗 관련 문서 - [[Security_Pen_Testing]] - [[Security_OWASP_Top_10_Practical]] - [[DevSec_Threat_Modeling]]