This is Part 1. Part 2 can be found here.
In November, Catalin Cimpanu reported that Russian researcher, Sergey Zelenyuk, had publicly disclosed a VirtualBox 0day instead of first disclosing the problem to Oracle or working through a bug bounty platform. Curious to see what Zelenyuk’s justification for his actions would be, I found that his explanation mirrored what others had been telling me about growing dissatisfaction with bug bounty programs. Zelenyuk said:
I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:
1) Wait half a year until a vulnerability is patched is considered fine.
2) In the bug bounty field these are considered fine:
i) Wait more than month until a submitted vulnerability is verified and a decision to buy or not to buy is made.
ii) Change the decision on the fly. Today you figured out the bug bounty program will buy bugs in a software, week later you come with bugs and exploits and receive “not interested”.
iii) Have not a precise list of software a bug bounty is interested to buy bugs in. Handy for bug bounties, awkward for researchers.
iv) Have not precise lower and upper bounds of vulnerability prices. There are many things influencing a price but researchers need to know what is worth to work on and what is not.
3) Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating importance of own job as a security researcher; considering yourself “a world saviour”. Come down, Your Highness.
I’m exhausted of the first two, therefore my move is full disclosure. Infosec, please move forward.
The criticisms Zelenyuk raised are important ones. And some of the researchers I have chatted with over the past few months say that things have gotten worse for serious researchers who count on programs to make a living to support their families. Many of the criticisms this site has heard are specific to HackerOne. The remainder of this two-part post will be about the concerns raised by three researchers.
Although HackerOne deserves credit for providing a platform for hackers to be compensated for their research and hard work, as Chris Bing reported in 2017, the field has been exploding with alternative platforms. Having alternatives is not like deciding which restaurant to dine out at on any one night. Many programs have exclusive contracts with platforms, and therein lies the potential danger: are companies losing out on valuable information because of poor policies or policy implementation by platforms with which they have exclusive contracts?
When HackerOne instituted a triage system, they created a situation that raises potentially serious concerns because analysts who are also hackers could appropriate submissions and submit them to other programs as their own findings. The triage system can also be abused to hold up a researcher’s findings from ever getting to the the program.
Attempts to get responses from HackerOne to some of the accusations were not totally successful, as noted in the discussion that follows.
For information on specific firms’ bug bounty programs, see:
Top 30 Bug Bounty Programs in 2019 and HackerOne’s list of programs.
Eusebiu Blindu (@testalways on Twitter) is a researcher who has publicly accused HackerOne of racism. He first caught my attention when he seemed to be revealing that HBO had a private bug bounty program through HackerOne.
I contacted @testalways through Twitter to ask him to explain his public accusations and actions. In private communications, he claimed that he had been banned from HackerOne for escalating issues related to their “managed triage” approach.
Blindu acknowledges that his language might have been a bit rude or crude (at one point he called them “nazis”), but he claims some of it was just joking that HackerOne used as an excuse to ban him because they are racist.
I am Romanian and in Netherlands Romanians are seen as ‘beggars’,’ criminals’, ‘farmers’, and at the time there was the Uber extortion issue. I believed I was framed to be forced to ask for the bounties (but I didn’t ask anyway).
In support of his claim of racism, Blindu pointed me to public comments made by HackerOne co-founder, Jobert Abma (@jobertabma on Twitter). He also claimed that HackerOne constantly used terms that stem from Dutch racism related to romanis, such as “beg bounties” and “farmers.” DataBreaches.net did not find anyone else accusing HackerOne of racism, although other researchers were well aware of Blindu’s claims about that.
Not surprisingly, perhaps, HackerOne had a somewhat different explanation for why he had been banned. A HackerOne spokesperson told this site:
By participating in programs on HackerOne, all Finders agree to help empower our community by following the HackerOne Code of Conduct. The individual repeatedly violated HackerOne’s Code of Conduct, and per HackerOne’s Code of Conduct, any breach of the rules which resulted in a written warning from HackerOne. After the negative behavior continued, the individual was temporarily suspended from the platform. When the behavior remained after the first two measures were taken, HackerOne issued a permanent platform ban.
The statement was supplemented with a link to the code of conduct. But the code of conduct was not the code of conduct at the time Blindu was banned. DataBreaches.net requested a copy of that one. The spokesperson provided it, acknowledging that it had been more generally written and was made more explicit after the incidents with Blindu. So Blindu was banned permanently for rough language, and what happened to everything HBO and other programs were learning from him?
“Me and HBO were very good for ~2 years (i was 1st/2nd most of the time ranked in HBO). No issue with HBO per se. It’s just Hackerone introduced the triage, messed things up,” Blindu told DataBreaches.net.
Blindu’s frustration with HackerOne’s ban was magnified greatly when PayPal signed a contract with HackerOne. Blindu claims he had earned a lot of money from PayPal over the years, and claims that he is a Top-10 all-time earner with them. He had been bug hunting for PayPal since 2012, and had even visited them at their San Jose offices.
Neither HBO nor PayPal responded to inquiries from DataBreaches.net as to how they felt about the ban of Blindu and whether they supported HackerOne for banning people based on rough language.
But it is the managed triage changes that had Blindu and other researchers especially concerned and outraged.