bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
95cd8bb891bf94ea5dd50e4a490ee17d5707ecf2
2nd/10_Wiki/Topics/Coding/Security_Bug_Bounty.md
T
Antigravity Agent 21ac3ed255 [G1-Sync] Manual knowledge update
2026-05-09 22:47:42 +09:00

475 lines
9.1 KiB
Markdown
Raw Blame History

---
id: security-bug-bounty
title: Bug Bounty — Program / Triage / Pay
category: Coding
status: draft
source_trust_level: B
verification_status: conceptual
created_at: 2026-05-09
updated_at: 2026-05-09
tags: [security, bug-bounty, vibe-coding]
tech_stack: { language: "Process", applicable_to: ["Security"] }
applied_in: []
aliases: [bug bounty, HackerOne, Bugcrowd, vulnerability disclosure, VDP, responsible disclosure]
---
# Bug Bounty
> 외부 researcher 가 vulnerability 발견 → reward. **HackerOne / Bugcrowd / 자체**. Cost vs benefit. Internal team + bug bounty + external pen test = defense in depth.
## 📖 핵심 개념
- Program: scope + rules + reward.
- VDP: Vulnerability Disclosure Policy (no reward).
- Bug bounty: VDP + reward.
- Triage: severity + valid?
## 💻 코드 패턴
### VDP (basic, free)
```markdown
# Vulnerability Disclosure Policy
We welcome security research.
## Scope
- *.example.com (production)
- Mobile apps
- API endpoints
## Out of scope
- Third-party services
- Social engineering
- Physical attacks
- DoS
## Rules
- No data exfiltration beyond proof
- No service disruption
- Provide reasonable disclosure time (90 days)
## Report
security@example.com
PGP: <key>
## Recognition
Hall of Fame for valid reports.
No monetary reward (this is VDP).
```
→ Free. 작은 회사 시작.
### Bug bounty program (paid)
```markdown
# Bug Bounty
## Scope
- *.example.com (prod)
- iOS / Android apps
- API (api.example.com)
## Out of scope
- *.dev.example.com
- Third-party SaaS
- DoS / DDoS
- Social engineering
- Physical attacks
## Rewards (CVSS-based)
- Critical (9.0+): $5,000
- High (7.0-8.9): $1,500
- Medium (4.0-6.9): $500
- Low (0.1-3.9): $100
## Eligibility
- First reporter wins
- Must include reproduction
- No public disclosure before fix
## Submit
HackerOne: https://hackerone.com/example
Direct: security@example.com (PGP encrypted)
```
### HackerOne setup
```
1. Account create
2. Program create (private 또는 public)
3. Define scope (asset)
4. Set bounty range
5. Configure triage workflow
6. Onboard internal team
→ HackerOne 가 triage tier 제공 (cost).
```
### Bugcrowd
```
HackerOne 와 비슷.
"Crowdcontrol" platform.
Researcher community 다름.
```
### 자체 program (internal / hosted)
```
Pros:
- Direct relationship
- Cheaper
- Custom workflow
Cons:
- Researcher discovery 어려움
- Triage burden
- Payment / tax handling
```
→ 큰 organization 만 권장.
### Triage process
```
1. Receive report (24h ack)
2. Reproduce
3. Severity (CVSS)
4. Valid? (in-scope, novel, working)
5. Reward decision
6. Fix
7. Verify fix with reporter
8. Pay + close
9. Public disclosure (옵션)
```
### Severity (CVSS calculator)
```
Vector:
- Attack vector: Network / Adjacent / Local / Physical
- Complexity: Low / High
- Privileges: None / Low / High
- User interaction: None / Required
- Scope: Unchanged / Changed
- Confidentiality / Integrity / Availability impact
Score: 0-10
```
→ cvssjs.org / nvd.nist.gov calculator.
### Common reports
```
Critical:
- RCE (Remote Code Execution)
- SQL injection (큰 data)
- Authentication bypass
- IDOR (sensitive)
High:
- Stored XSS
- SSRF
- Privilege escalation
Medium:
- Reflected XSS
- CSRF (sensitive)
- Information disclosure (PII)
Low:
- Self XSS
- Missing security headers
- Outdated library (no exploit)
Informational (no reward):
- Best practice
- Lack of header
```
### Duplicate detection
```
같은 issue 여러 reporter:
- 첫 reporter wins
- 후속 = "Duplicate" (no reward 또는 작음)
- Public 의 program 가 자주.
```
### Out-of-scope handling
```
정중 reject:
"Thanks for your report. This is out of scope ([reason]).
We don't accept reports for this — please refer to our scope.
However, we appreciate your effort."
너무 strict 하면 — 좋은 researcher 잃음.
```
### Researcher relationship
```
Good researcher:
- Detailed report
- PoC (proof of concept)
- Suggested fix
- Patient
Bad researcher:
- Spam (low quality)
- Threatening (public disclosure)
- Begging
- 불완전 report
→ Good 가 valuable. Bad 가 대부분.
```
### Internal cost
```
Triage time (per report):
- Read + reproduce: 30 min - 4 hour
- Severity assess: 30 min
- Communicate: 30 min
- Fix: variable
→ 1 person 가 full-time triage 가능.
```
### ROI
```
Bug bounty $:
- Setup: $0 (HackerOne base)
- Bounty 지급: $0-100K / year (작은-중간)
- Triage cost: $50-200K / year (1 FTE)
Discovery:
- 큰 vulnerability prevent (cost = 사고 X $$)
- Attack surface 측정
- 외부 perspective
→ 큰 organization (security-critical) 가치.
```
### Disclosure
```
Coordinated:
1. Reporter → vendor private
2. Vendor fix (90 days)
3. Public disclosure (after fix)
4. Researcher 가 publicly recognize
Forced:
- Vendor 가 무시 → researcher 가 public
- Industry pressure
```
### Public disclosure (after fix)
```
Researcher writeup blog:
- 유익 (다른 researcher 학습)
- 회사 brand 영향 (transparency)
- CVE assignment 가능
Company 가 publish:
- Acknowledge
- Fix detail (high-level)
- Mitigation
```
### Internal vs external bug bounty
```
Internal hackathon:
- 회사 employees 가 bug 발견
- 작은 reward
- Team building
External bug bounty:
- Public researcher
- 큰 reward
- 깊은 외부 시각
```
→ 둘 다.
### Legal
```
Safe Harbor:
- Researcher 가 program rules follow 시 = no legal action
- 명시 (program page 안)
- DMCA / CFAA 면제
→ Researcher 가 안 felt threatened.
```
```markdown
## Safe Harbor
We will not pursue legal action against researchers who:
- Comply with program rules
- Make a good-faith effort to avoid disrupting service
- Don't access data beyond proof of concept
- Provide reasonable time for fix
```
### CVE assignment
```
큰 vulnerability:
- CVE-2026-XXXXX number
- NVD database
- 공개 reference
→ Researcher 가 자랑 + public learning.
```
### Top researcher 의 motivation
```
1. 돈 (큰 reward)
2. 명성 (recognition, CVE)
3. 학습 (real-world target)
4. 즐거움 (puzzle)
5. Mission (better internet)
→ Reward 만 X. 좋은 program.
```
### Hall of Fame
```markdown
# Security Researchers
Thanks to the following for responsible disclosure:
## 2026
- @researcher1 — Critical RCE
- @researcher2 — Authentication bypass
- @researcher3 — Stored XSS
## 2025
...
```
→ Public recognition. Free + valuable.
### Program maturity
```
Phase 1: VDP only (no reward)
Phase 2: Private bug bounty (invite-only)
Phase 3: Public bug bounty
Phase 4: Continuous + multiple platform
→ 점진 grow.
```
### Common 함정
```
- Scope 너무 큼 (모든 거 in-scope) — noise
- Reward 너무 적음 — quality 낮음
- Triage 늦음 — researcher 잃음
- Communication 명확 X
- Duplicate handling 불공정
- Out-of-scope 가 unclear
```
### Vendor 의 mindset
```
"우리 가 보안 잘 함 — bug bounty 안 필요" → 잘못.
"Bug bounty 가 비싸" → ROI 측정.
"Researcher 가 우리 attack" → 그들 가 도움.
→ Researcher = ally, not enemy.
```
### Modern best practice
```
1. SDLC 안 security (shift left)
2. Internal pen test (quarterly)
3. External pen test (annual)
4. Bug bounty (continuous)
5. Threat modeling (큰 feature)
6. Security training (모든 dev)
```
→ Defense in depth.
### Tools (vendor side)
```
- HackerOne / Bugcrowd / Intigriti / YesWeHack
- Triage SaaS (포함)
- Internal: Slack + Jira + GitHub
자체:
- Email (security@)
- PGP key
- Vulnerability tracking system
```
### Duplicate / informational handling
```
Polite + clear:
"Thanks for the report. This was previously reported by [hash/anonymous].
We don't reward duplicates, but we appreciate the effort.
Hall of Fame eligible? [yes/no based on quality]"
```
### Stuck reports
```
Triage backlog:
- 30+ open reports
- New researcher 가 frustrated
해결:
- Add triage capacity
- Auto-close low quality
- Internal SLA (14 day acknowledge)
```
### Yearly stats (good practice)
```markdown
# 2026 Bug Bounty Report
- Reports received: 423
- Valid: 87 (21%)
- Critical: 3
- High: 12
- Medium: 31
- Low: 41
- Total payout: $58,400
- Avg time to triage: 2.3 days
- Avg time to fix: 14 days
Top researchers:
1. @x — 12 valid reports
2. @y — 8
...
```
→ Transparency + community trust.
### Hire researchers
```
좋은 bug bounty researcher = 좋은 internal security engineer.
Top reporter 에게 직접 job offer.
→ Talent pipeline.
```
## 🤔 의사결정 기준
| 회사 단계 | 추천 |
|---|---|
| Startup (early) | VDP only |
| 작은 SaaS | Private bounty (invite) |
| Mid-size | Public bounty (HackerOne) |
| Enterprise | Multi-platform + internal |
| Compliance critical | + Annual external pen test |
## ❌ 안티패턴
- **Pay denial 후 disclosure 위협**: bad faith.
- **Triage 매우 늦음**: researcher 잃음.
- **Scope 명확 X**: 분쟁.
- **Legal threat researcher**: PR disaster.
- **Reward 너무 적음**: low quality.
- **Internal team 가 bounty 받음 (employee)**: conflict of interest.
- **Public 의 researcher list 무**: motivation 적음.
## 🤖 LLM 활용 힌트
- HackerOne / Bugcrowd 가 빠른 시작.
- Safe Harbor 명시 — legal 보호.
- Triage SLA + transparency.
- Researcher = ally.
## 🔗 관련 문서
- [[Security_Pen_Testing]]
- [[Security_OWASP_Top_10_Practical]]
- [[DevSec_Threat_Modeling]]
Reference in New Issue View Git Blame Copy Permalink