Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
"My only concern is that it wouldn't work, which I see as a problem."

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.



Special credit cards for pentesters

An idea for better bug bounty programs
  [vote for,

Many companies operate bug bounty programs, where they incentivize hackers to perform penetration testing and responsibly report any vulnerabilities they find by paying them per vulnerability. This generally works well and is regarded as a good thing.

But some companies that do or would implement bug bounties deal with payment via credit cards. This could be difficult to pentest because some vulnerabilities you'd want to test for would involve stealing money from someone else's credit card, potentially losing money from your own, etc.

To solve this problem, I propose that companies provide credit cards to any interested security researchers to use for this purpose. The money is provided by the company running the bug bounty program, and is returned to them when the hackers make payments, steal money from their other provided cards, etc. If anybody tries to scam them by using one of these cards to buy something else, the company will do a chargeback and blacklist the scammer.

Companies will obviously have to work with the credit card companies to implement this. (If they implemented their own fake credit cards, that wouldn't test interactions with credit card infrastructure, for example.) So, the credit card companies should also have their own bug bounty program, where any money you manage to hack into your own account is yours to keep (maybe up to some limit) as long as you responsibly report how you did it so they can fix the vulnerabilities. (Anybody from whose account you take the money will be reimbursed by the company.) This will create competition, as hackers try to find vulnerabilities first and exploit them and then report them before anyone else can and they get fixed.


Edit: hypothetical narratives as requested.

Google operates a bug bounty program according to the first part of this idea, and Greg decides to participate. Greg signs up and fills out a request form, and Google sends him two virtual credit cards. Greg uses these cards to experiment with Google Wallet, and demonstrates that it has a flaw where you can type in your own card number in a specific incorrect way and it will take money from another account's credit card. In so doing, he makes payments to Google for hypothetical products and steals money from one of his Google-issued virtual credit cards. In this way, Google gets their money back and Greg receives no real products (because he isn't giving Google any of his own money). Greg reports this to Google, and they give him a reward and get to work on fixing the vulnerability. Google may terminate the cards or let him keep them to do further research.

Visa operates a bug bounty program according to the second part of this idea, and Vanessa decides to participate. Vanessa signs up and agrees that she may attempt to steal up to $1000 at a time from other customers' accounts (probably special fake accounts set up for this purpose) as long as she responsibly reports how she did so to Visa. She discovers that by manipulating the cookies and headers sent to Visa's server when she loads her account summary page, she can access another customer's account. She uses this access to transfer $1000 to her own account, and reports this and how she did it to Visa. Visa reimburses the account from which she took the money, and fixes the vulnerability that allowed her to do it.

notexactly, Nov 30 2015


       Provide a narrative, if you would, of how this would work in practice.
bungston, Dec 01 2015

       So, Adam hacks VISA/MasterCard/AmEx via some undiscovered vulnerability and transfers an amount just short of the agreed limit to his personal account, then calls VISA/MasterCard/AmEx and tell them how. They ask that he keeps the matter secret, and grant him immunity from prosecution AND let him keep the proceeds.   

       Hours later 8000 miles away Bob discovers the same vulnerability and does the same, but this time what does VISA/MasterCard/AmEx do?   

       Grant Bob the same immunity and cover another loss? Reject Bob's claim because he's not the first to report? Claw back Adam's proceeds on grounds that he must have breached the non-disclosure clause?   

       Adam and Bob and their peers recognize the potential awkwardness in the situation, so rather than raise the issue they simply execute their discovered hack, take as much as they can (disregarding the agreed limit) and keep quiet about it (apart from bragging to their peers).   

       The cynic in me is pretty sure it's been working this way since banking was invented, never mind computerized.
Tulaine, Dec 01 2015

       A card with just 20 cents on it could easily be the target to prove your bug and cost less than the stamp to mail it out. Forever!@
popbottle, Dec 01 2015

       [bungston], narratives added.   

       // Hours later 8000 miles away Bob discovers the same vulnerability and does the same, but this time what does VISA/MasterCard/AmEx do? //   

       Same thing any company operating a bug bounty program today does: reward both. Both accomplished the same thing, didn't they? Newton and Leibniz both get credit for inventing calculus. And this way, the company is incentivized to fix the problem quickly.   

       // A card with just 20 cents on it could easily be the target to prove your bug and cost less than the stamp to mail it out. //   

       The cards don't have to be physical. At least one credit card company has had a feature for a while now where they can send you a new card number to use for each transaction. This could work the same way.
notexactly, Dec 02 2015

       //Newton and Leibniz// mmm biscuits
pocmloc, Dec 02 2015


back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle