What we learned from our bug bounty program
At Ergon we are always looking for new ways to make Airlock even more secure. That's why Airlock has been challenged by the best hackers. In order to uncover potential attack vectors, we launched the Airlock Bug Bounty Program a year ago. Since a year ago, experts all over the world have tried to circumvent Airlock's security mechanisms. As an incentive, there are rewards of several thousand dollars per vulnerability.
The Airlock Bug Bounty Program aims to improve the effectiveness of Airlock. Participants are asked to attack the Secure Access Hub and all protected applications behind it. The infrastructure is set up similarly to our customers' environments. It contains both Airlock Gateway and IAM components and several back-end applications. The hackers try to circumvent Airlock by taking up specific challenges. One of these challenges is to circumvent the Airlock filter rules (Allow / Deny Rules). The IAM functions such as login and self-service are also checked for weak points. For example, they can try to (re)use a one-time password multiple times.
What is a bug bounty program?
A bug bounty program is like a call to attack a product in order to find bugs and vulnerabilities. Now even the US Department of Defense has called for the Pentagon to be hacked!
Basically every security specialist can participate in a bug bounty program. These "white hat" testers have to adhere to the rules of the bounty program in order to be able to launch their targeted attacks within a controlled environment. By participating, a hacker undertakes not to exploit or publish the reported vulnerabilities. This gives the producer a chance to fix the error before it is exploited. The participants are therefore also referred to as ethical hackers.
When a hacker finds a new vulnerability, he reports it to the producer via a confidential channel. When the reported vulnerability is successfully verified, the finder receives a reward (usually a predefined amount of money). The amount of compensation depends e.g. on the consequences of a possible attack. Some professional hackers can make a living from these "bounties". Once it is fixed, the vulnerability can be published and the hacker can be released from keeping it confidential.
Up to $ 5000 reward
If a hacker finds a hole, he submits a structured bug report. He must show in detail how the vulnerability can be exploited. This allows the Airlock Incident Response Team to reproduce the attack step by step and unlock the bounty. The severity of a bug is classified on a four-point scale from low to critical. The hacker receives a minimum of $100 or up to $5,000 for a critical vulnerability.
In addition to the classic penetration tests, we wanted a continuous security assessment by a large number of experts.
So we looked at different bounty platforms. We wanted a big community to find as many clever hackers as possible.
Reto Ischi, Team Lead Product Development Airlock Gateway
The idea of a bounty program was born after a "successful" penetration test: Despite high fixed costs, the testers had not found any serious security issues. Many would have considered this a success. But Reto Ischi, the development manager of the Airlock Gateway, was not satisfied. Where can you find the best application security experts? The team looked at bounty platforms like Hackerone or BugCrowd. „We wanted a platform with a large community to find as many clever hackers as possible”. In the end, the decision was made in favor of Hackerone. „Also because we have more control over the amount of bounties there.”
Bounty hunters continuously ensure security
More than 500 participating hacker professionals are struggling to bypass the security mechanisms of the Airlock Secure Access Hub. So far not a single vulnerability of the level high or critical was reported. The average reward paid is $ 200. The majority of successful attacks have been cross-site scripting (XSS) or SQL injections. These vulnerabilities were mostly closed by adapting the filter rules (deny rules). It is no coincidence that these attacks are among the top 10 risks for web applications.
Conclusion: Standing still means falling behind
The global community of ethical hackers ensures a continuous security assessment of the Airlock Secure Access Hub. Since the program was launched a year ago, minor errors have been reported on a regular basis; critical gaps have not been reported yet. The bug reports help to continuously and promptly improve product security in the interests of our customers. The bug bounty program thus confirms what periodic penetration tests have shown: Airlock ensures extremely effective protection against any attacks on applications and the theft of sensitive data.
Although the analysis of the bug reports ties up valuable engineering resources, the cost-benefit ratio is still positive. The reports are of high quality and the bounties per finding are relatively low. And the continuous stream of bug reports also fits our agile development process. Therefore it was decided to continue the Airlock Bug Bounty Program for another year. "We are also considering how the WAF's standard filter rules can be updated more frequently in order to close vulnerabilities even faster." The program continues because in IT security,Standing still means falling behind!