h a l f b a k e r y
"My only concern is that it wouldn't work, which I see as a problem."
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
or get an account
Many companies operate bug bounty programs, where they incentivize hackers to perform penetration testing and
responsibly report any vulnerabilities they find by paying them per vulnerability. This generally works well and is
regarded as a good thing.
But some companies that do or would implement
bug bounties deal with payment via credit cards. This could be
difficult to pentest because some vulnerabilities you'd want to test for would involve stealing money from someone
else's credit card, potentially losing money from your own, etc.
To solve this problem, I propose that companies provide credit cards to any interested security researchers to use
for this purpose. The money is provided by the company running the bug bounty program, and is returned to them
when the hackers make payments, steal money from their other provided cards, etc. If anybody tries to scam them
by using one of these cards to buy something else, the company will do a chargeback and blacklist the scammer.
Companies will obviously have to work with the credit card companies to implement this. (If they implemented
their own fake credit cards, that wouldn't test interactions with credit card infrastructure, for example.) So, the
credit card companies should also have their own bug bounty program, where any money you manage to hack into
your own account is yours to keep (maybe up to some limit) as long as you responsibly report how you did it so
they can fix the vulnerabilities. (Anybody from whose account you take the money will be reimbursed by the
company.) This will create competition, as hackers try to find vulnerabilities first and exploit them and then
report them before anyone else can and they get fixed.
Edit: hypothetical narratives as requested.
Google operates a bug bounty program according to the first part of this idea, and Greg decides to participate. Greg signs up
and fills out a request form, and Google sends him two virtual credit cards. Greg uses these cards to experiment with Google
Wallet, and demonstrates that it has a flaw where you can type in your own card number in a specific incorrect way and it will
take money from another account's credit card. In so doing, he makes payments to Google for hypothetical products and steals
money from one of his Google-issued virtual credit cards. In this way, Google gets their money back and Greg receives no real
products (because he isn't giving Google any of his own money). Greg reports this to Google, and they give him a reward and
get to work on fixing the vulnerability. Google may terminate the cards or let him keep them to do further research.
Visa operates a bug bounty program according to the second part of this idea, and Vanessa decides to participate. Vanessa
signs up and agrees that she may attempt to steal up to $1000 at a time from other customers' accounts (probably special fake
accounts set up for this purpose) as long as she responsibly reports how she did so to Visa. She discovers that by manipulating
the cookies and headers sent to Visa's server when she loads her account summary page, she can access another customer's
account. She uses this access to transfer $1000 to her own account, and reports this and how she did it to Visa. Visa reimburses
the account from which she took the money, and fixes the vulnerability that allowed her to do it.
|Provide a narrative, if you would, of how this would work in practice.
|So, Adam hacks VISA/MasterCard/AmEx via some
undiscovered vulnerability and transfers an amount just
short of the agreed limit to his personal account, then
calls VISA/MasterCard/AmEx and tell them how. They ask
that he keeps the matter secret, and grant him
immunity from prosecution AND let him keep the
|Hours later 8000 miles away Bob discovers the same
vulnerability and does the same, but this time what does
|Grant Bob the same immunity and cover another loss?
Reject Bob's claim because he's not the first to report?
Claw back Adam's proceeds on grounds that he must have
breached the non-disclosure clause?
|Adam and Bob and their peers recognize the potential
awkwardness in the situation, so rather than raise the
issue they simply execute their discovered hack, take as
much as they can (disregarding the agreed limit) and
keep quiet about it (apart from bragging to their peers).
|The cynic in me is pretty sure it's been working this way
since banking was invented, never mind computerized.
|A card with just 20 cents on it could easily be the target to prove your bug and cost less than the stamp to mail it out. Forever!@
|[bungston], narratives added.
|// Hours later 8000 miles away Bob discovers the same vulnerability and does the
same, but this time what does VISA/MasterCard/AmEx do? //
|Same thing any company operating a bug bounty program today does: reward
both. Both accomplished the same thing, didn't they? Newton and Leibniz both get
credit for inventing calculus. And this way, the company is incentivized to fix the
|// A card with just 20 cents on it could easily be the target to prove your bug and
cost less than the stamp to mail it out. //
|The cards don't have to be physical. At least one credit card company has had a
feature for a while now where they can send you a new card number to use for
each transaction. This could work the same way.
|//Newton and Leibniz// mmm biscuits