Antigravity Agent
9.1 KiB
9.1 KiB
id, title, category, status, source_trust_level, verification_status, created_at, updated_at, tags, tech_stack, applied_in, aliases
| id | title | category | status | source_trust_level | verification_status | created_at | updated_at | tags | tech_stack | applied_in | aliases | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| security-bug-bounty | Bug Bounty — Program / Triage / Pay | Coding | draft | B | conceptual | 2026-05-09 | 2026-05-09 |
|
|
|
Bug Bounty
외부 researcher 가 vulnerability 발견 → reward. HackerOne / Bugcrowd / 자체. Cost vs benefit. Internal team + bug bounty + external pen test = defense in depth.
📖 핵심 개념
- Program: scope + rules + reward.
- VDP: Vulnerability Disclosure Policy (no reward).
- Bug bounty: VDP + reward.
- Triage: severity + valid?
💻 코드 패턴
VDP (basic, free)
# Vulnerability Disclosure Policy
We welcome security research.
## Scope
- *.example.com (production)
- Mobile apps
- API endpoints
## Out of scope
- Third-party services
- Social engineering
- Physical attacks
- DoS
## Rules
- No data exfiltration beyond proof
- No service disruption
- Provide reasonable disclosure time (90 days)
## Report
security@example.com
PGP: <key>
## Recognition
Hall of Fame for valid reports.
No monetary reward (this is VDP).
→ Free. 작은 회사 시작.
Bug bounty program (paid)
# Bug Bounty
## Scope
- *.example.com (prod)
- iOS / Android apps
- API (api.example.com)
## Out of scope
- *.dev.example.com
- Third-party SaaS
- DoS / DDoS
- Social engineering
- Physical attacks
## Rewards (CVSS-based)
- Critical (9.0+): $5,000
- High (7.0-8.9): $1,500
- Medium (4.0-6.9): $500
- Low (0.1-3.9): $100
## Eligibility
- First reporter wins
- Must include reproduction
- No public disclosure before fix
## Submit
HackerOne: https://hackerone.com/example
Direct: security@example.com (PGP encrypted)
HackerOne setup
1. Account create
2. Program create (private 또는 public)
3. Define scope (asset)
4. Set bounty range
5. Configure triage workflow
6. Onboard internal team
→ HackerOne 가 triage tier 제공 (cost).
Bugcrowd
HackerOne 와 비슷.
"Crowdcontrol" platform.
Researcher community 다름.
자체 program (internal / hosted)
Pros:
- Direct relationship
- Cheaper
- Custom workflow
Cons:
- Researcher discovery 어려움
- Triage burden
- Payment / tax handling
→ 큰 organization 만 권장.
Triage process
1. Receive report (24h ack)
2. Reproduce
3. Severity (CVSS)
4. Valid? (in-scope, novel, working)
5. Reward decision
6. Fix
7. Verify fix with reporter
8. Pay + close
9. Public disclosure (옵션)
Severity (CVSS calculator)
Vector:
- Attack vector: Network / Adjacent / Local / Physical
- Complexity: Low / High
- Privileges: None / Low / High
- User interaction: None / Required
- Scope: Unchanged / Changed
- Confidentiality / Integrity / Availability impact
Score: 0-10
→ cvssjs.org / nvd.nist.gov calculator.
Common reports
Critical:
- RCE (Remote Code Execution)
- SQL injection (큰 data)
- Authentication bypass
- IDOR (sensitive)
High:
- Stored XSS
- SSRF
- Privilege escalation
Medium:
- Reflected XSS
- CSRF (sensitive)
- Information disclosure (PII)
Low:
- Self XSS
- Missing security headers
- Outdated library (no exploit)
Informational (no reward):
- Best practice
- Lack of header
Duplicate detection
같은 issue 여러 reporter:
- 첫 reporter wins
- 후속 = "Duplicate" (no reward 또는 작음)
- Public 의 program 가 자주.
Out-of-scope handling
정중 reject:
"Thanks for your report. This is out of scope ([reason]).
We don't accept reports for this — please refer to our scope.
However, we appreciate your effort."
너무 strict 하면 — 좋은 researcher 잃음.
Researcher relationship
Good researcher:
- Detailed report
- PoC (proof of concept)
- Suggested fix
- Patient
Bad researcher:
- Spam (low quality)
- Threatening (public disclosure)
- Begging
- 불완전 report
→ Good 가 valuable. Bad 가 대부분.
Internal cost
Triage time (per report):
- Read + reproduce: 30 min - 4 hour
- Severity assess: 30 min
- Communicate: 30 min
- Fix: variable
→ 1 person 가 full-time triage 가능.
ROI
Bug bounty $:
- Setup: $0 (HackerOne base)
- Bounty 지급: $0-100K / year (작은-중간)
- Triage cost: $50-200K / year (1 FTE)
Discovery:
- 큰 vulnerability prevent (cost = 사고 X $$)
- Attack surface 측정
- 외부 perspective
→ 큰 organization (security-critical) 가치.
Disclosure
Coordinated:
1. Reporter → vendor private
2. Vendor fix (90 days)
3. Public disclosure (after fix)
4. Researcher 가 publicly recognize
Forced:
- Vendor 가 무시 → researcher 가 public
- Industry pressure
Public disclosure (after fix)
Researcher writeup blog:
- 유익 (다른 researcher 학습)
- 회사 brand 영향 (transparency)
- CVE assignment 가능
Company 가 publish:
- Acknowledge
- Fix detail (high-level)
- Mitigation
Internal vs external bug bounty
Internal hackathon:
- 회사 employees 가 bug 발견
- 작은 reward
- Team building
External bug bounty:
- Public researcher
- 큰 reward
- 깊은 외부 시각
→ 둘 다.
Legal
Safe Harbor:
- Researcher 가 program rules follow 시 = no legal action
- 명시 (program page 안)
- DMCA / CFAA 면제
→ Researcher 가 안 felt threatened.
## Safe Harbor
We will not pursue legal action against researchers who:
- Comply with program rules
- Make a good-faith effort to avoid disrupting service
- Don't access data beyond proof of concept
- Provide reasonable time for fix
CVE assignment
큰 vulnerability:
- CVE-2026-XXXXX number
- NVD database
- 공개 reference
→ Researcher 가 자랑 + public learning.
Top researcher 의 motivation
1. 돈 (큰 reward)
2. 명성 (recognition, CVE)
3. 학습 (real-world target)
4. 즐거움 (puzzle)
5. Mission (better internet)
→ Reward 만 X. 좋은 program.
Hall of Fame
# Security Researchers
Thanks to the following for responsible disclosure:
## 2026
- @researcher1 — Critical RCE
- @researcher2 — Authentication bypass
- @researcher3 — Stored XSS
## 2025
...
→ Public recognition. Free + valuable.
Program maturity
Phase 1: VDP only (no reward)
Phase 2: Private bug bounty (invite-only)
Phase 3: Public bug bounty
Phase 4: Continuous + multiple platform
→ 점진 grow.
Common 함정
- Scope 너무 큼 (모든 거 in-scope) — noise
- Reward 너무 적음 — quality 낮음
- Triage 늦음 — researcher 잃음
- Communication 명확 X
- Duplicate handling 불공정
- Out-of-scope 가 unclear
Vendor 의 mindset
"우리 가 보안 잘 함 — bug bounty 안 필요" → 잘못.
"Bug bounty 가 비싸" → ROI 측정.
"Researcher 가 우리 attack" → 그들 가 도움.
→ Researcher = ally, not enemy.
Modern best practice
1. SDLC 안 security (shift left)
2. Internal pen test (quarterly)
3. External pen test (annual)
4. Bug bounty (continuous)
5. Threat modeling (큰 feature)
6. Security training (모든 dev)
→ Defense in depth.
Tools (vendor side)
- HackerOne / Bugcrowd / Intigriti / YesWeHack
- Triage SaaS (포함)
- Internal: Slack + Jira + GitHub
자체:
- Email (security@)
- PGP key
- Vulnerability tracking system
Duplicate / informational handling
Polite + clear:
"Thanks for the report. This was previously reported by [hash/anonymous].
We don't reward duplicates, but we appreciate the effort.
Hall of Fame eligible? [yes/no based on quality]"
Stuck reports
Triage backlog:
- 30+ open reports
- New researcher 가 frustrated
해결:
- Add triage capacity
- Auto-close low quality
- Internal SLA (14 day acknowledge)
Yearly stats (good practice)
# 2026 Bug Bounty Report
- Reports received: 423
- Valid: 87 (21%)
- Critical: 3
- High: 12
- Medium: 31
- Low: 41
- Total payout: $58,400
- Avg time to triage: 2.3 days
- Avg time to fix: 14 days
Top researchers:
1. @x — 12 valid reports
2. @y — 8
...
→ Transparency + community trust.
Hire researchers
좋은 bug bounty researcher = 좋은 internal security engineer.
Top reporter 에게 직접 job offer.
→ Talent pipeline.
🤔 의사결정 기준
| 회사 단계 | 추천 |
|---|---|
| Startup (early) | VDP only |
| 작은 SaaS | Private bounty (invite) |
| Mid-size | Public bounty (HackerOne) |
| Enterprise | Multi-platform + internal |
| Compliance critical | + Annual external pen test |
❌ 안티패턴
- Pay denial 후 disclosure 위협: bad faith.
- Triage 매우 늦음: researcher 잃음.
- Scope 명확 X: 분쟁.
- Legal threat researcher: PR disaster.
- Reward 너무 적음: low quality.
- Internal team 가 bounty 받음 (employee): conflict of interest.
- Public 의 researcher list 무: motivation 적음.
🤖 LLM 활용 힌트
- HackerOne / Bugcrowd 가 빠른 시작.
- Safe Harbor 명시 — legal 보호.
- Triage SLA + transparency.
- Researcher = ally.