We know fraudsters are in the business of making money at the expense of businesses and consumers. They can go to any length and mobilize resources to maximize their exploits. This includes participating in bug bounty programs in the guise of white hats.
How do you discern fraud?
Identifying bad actors from genuine participants in bug bounty programs can be a huge challenge for the organizers. How do you determine if the so-called 'white hat' hasn't already monetized the bug being reported? How do you determine the number of times they may have monetized the same activity?
It's even possible that they may point you to something that gets them paid the bounty but doesn't really disrupt their chain of money-making activities—exploiting the vulnerability themselves or by selling information or toolkits to other attackers.
Worse, they may report a low-key or benign vulnerability to distract the attention from other grave vulnerabilities that they continue to exploit.
Fraudsters are often prepared to take these educated gambles as they are aware that when they report a vulnerability, the alertness for the reported target will increase. Which in turn, increases the chance that the more serious issue will also be found. However, by pointing at trivial or benign vulnerabilities, they successfully divert your initial efforts, which can lead to missing the malicious vulnerabilities.
Look out for the tell-tales
Although it is difficult to catch such dubious characters, it is not impossible. There are many tell-tales that can provide clues to catch such activities.
Fraudsters will report a bug when the bug bounty reward is higher than the profit they can make by exploiting the vulnerability. Usually, when the vulnerability is common, fraudsters will voluntarily report them. This helps them make easy money on two fronts—the bug bounty reward and selling the solution to protect against the vulnerability. In these cases, they expect that the vulnerability will be patched quickly so reporting it allows the fraudster to maximize their return for a minimal investment of time and effort.
Determine how long has the bug been exploited
Companies organizing bug bounty programs must always verify the claim. Once they determine that the vulnerability does exist, they pay the bug bounty. This may not be simple to determine, as the company may not have the ability to detect if this vulnerability even exists, increasing the potential for continued exploitation. Determining a vulnerability may require additional research and development time.
Once the vulnerability has been detected, the investigation should then extend to determining if the vulnerability has been exploited, for how long and the damage done to the business.
Trust no one, especially the one reporting the bug
It may be mentioned here that when the vulnerabilities have been exploited—or worse, are still being exploited—the first place to look at should be the person trying to claim the bounty. This is particularly true when the exploit is complex or there has been a long period of exploitation.
Companies must pay close attention to the people reporting bugs and scrutinize them and the vulnerabilities they report.
Fraudsters pose as white hats and report vulnerabilities that they are selling a solution against, as they try to make money on both sides of the fence. Since these exploits are transient in nature, fraudsters will often continue to sell them even after the vulnerability is closed, essentially defrauding other fraudsters as well.
Ensuring rightful wins and rewards
At Arkose Labs, we deal with a myriad of fraudsters every single day. We know the tactics the fraudsters employ and how they marshal their resources to orchestrate an attack. All this knowledge and the latest tools enable us to identify the impostors with unprecedented accuracy.
We scrutinize every participant in our bug bounty program, verify the vulnerabilities they submit, and determine the duration for which the reported vulnerability has been exploited. This helps us blunt the efforts of the fraudsters and ensure genuine white hats rightfully win the rewards.
If you'd like to learn more about our capabilities in fighting black hats, contact us now.