Bug Bounty - Koordinierte Schwachstellen-Offenlegung und Prämienmodelle

Bug bounty programs are structured mechanisms through which companies invite external security researchers to test their systems for vulnerabilities—and reward those who successfully find them. They complement (but do not replace!) internal penetration tests and are scalable for companies of all sizes.

VDP vs. Bug Bounty

VDP (Vulnerability Disclosure Policy) – free, no rewards

• Public statement: "We accept security reports"
• Contact channel: security@company.com or HackerOne/Bugcrowd VDP
• Safe Harbor: legal protection for researchers (not a "hacker attack"!)
• No bounties, but: recognition, Hall of Fame, CVE assignment
• Mandatory for KRITIS (BSIG §8b): contact point for reports

Minimum VDP (everyone should have this!):

# security.txt (RFC 9116) at https://company.com/.well-known/security.txt
Contact: mailto:security@company.com
Expires: 2027-01-01T00:00:00z
Preferred-Languages: de, en
Policy: https://company.com/security/policy
Encryption: https://company.com/pgp-key.txt

Bug Bounty (with rewards)

• Rewards: $100 (low) to $1,000,000 (critical, Apple)
• More reports, higher-quality researchers
• Platform or private
• Requires: internal triage process, budget, time

Comparison

Feature	VDP	Bug Bounty
Cost	Low	Medium-High (rewards!)
Number of Researchers	Fewer	Much more
Report Quality	Medium	Higher (motivated by bounties)
Maintenance Effort	Low	Medium-High
Recommended for	Everyone!	From medium security maturity

Platform Comparison

HackerOne

• Largest platform (1M+ registered researchers)
• Clients: Apple, Google, Microsoft, Lufthansa, HVB
• Pricing: starting at $15k/year for private programs
• Unique feature: CVE numbering as CNA (HackerOne assigns CVEs)
• US-based: Check for GDPR concerns with EU companies

Bugcrowd

• Competitor to HackerOne, similar size
• Strengths: Managed bug bounty option (triage by Bugcrowd)
• Clients: Mastercard, OpenAI, Netgear

Intigriti

• European provider (Belgium), GDPR-compliant
• Specifically recommended for EU companies
• Researcher community: strong in Europe
• Clients: Telenet, Ahold Delhaize, various EU authorities

Yeswehack

• French provider, also GDPR-friendly
• Strong presence in France and the DACH region

Private program (no platform)

• Email-based: security@company.com
• No platform costs, but: coordination effort
• No public trust (researchers often distrust private programs)
• Only for small businesses or as a supplement

Scope Definition

In-Scope (must be clearly defined!)

• Subdomains: *.company.com (or explicitly: app.company.com, api.company.com)
• Apps: mobile apps (iOS/Android)
• APIs: REST, GraphQL, etc.
• Specific test hosts: staging.company.com (upon request)

Out-of-Scope (what is explicitly prohibited)

• Denial of Service (DoS/DDoS) – always prohibited!
• Directly writing to the production database
• Social engineering against employees
• Physical penetration
• Third-party software (without custom code)
• Systems belonging to customers/partners
• Spamming, flooding

Testing restrictions

• No automated mass scans (observe rate limits!)
• Found data: do not exfiltrate, report immediately
• No proof-of-concepts involving real data
• Disclosure deadline: only after a fix (coordinated!)

Example Scope (HackerOne Format)

scope:
  - type: url
    value: "https://app.company.com"
    eligibility: in_scope
    max_severity: critical
  - type: url
    value: "https://api.company.com"
    eligibility: in_scope
  - type: url
    value: "https://status.company.com"
    eligibility: out_of_scope  # Third-party provider!
  - type: android
    value: "com.company.app"
    eligibility: in_scope

Reward Structure and CVSS Rating

CVSS Basis (Common Vulnerability Scoring System)

Severity	CVSS Score	Typical Reward
Critical	9.0-10.0	$5,000-$25,000+
High	7.0-8.9	$1,000-$5,000
Medium	4.0-6.9	$200-$1,000
Low	0.1-3.9	$50-$200

Adjustment Factors

• Exploitability: Is the exploit publicly available? → Higher reward
• Impact on Data: Is customer data affected? → Higher reward
• Authentication: Does the attacker not need an account? → Higher reward
• Difficulty: Is it very clever/original? → Bonus possible

Sample Reward Tables (publicly known)

Apple Security Bounty (highest on the market):

• iCloud: up to $50k
• Safari Remote Code Execution: up to $200k
• Full Kernel Code Execution: up to $1,000,000 (!!)

Microsoft Bug Bounty:

• Azure: up to $60k
• M365 Critical: up to $30k
• Authentication: $15k–$30k

Google (VRP):

• Android: up to $300k (with exploit chain)
• Chrome: up to $250k

Safe Harbor Clause (essential!)

> Researchers who adhere to the scope rules will not be prosecuted criminally or civilly, and their devices will not be confiscated. No §202a StGB attack (despite "intrusion").

Important: Safe Harbor protects ONLY within the defined scope!

Triage Process and SLAs

SLA Standards (Industry Best Practice)

Phase	Deadline
Initial Response	24–72 hours (confirmation of receipt)
Triage	5–10 business days (reproduction + CVSS assessment)
Fix Critical	7–14 days
Fix High	30 days
Fix Medium	90 days
Fix Low	180 days
Disclosure	After fix (or after deadline: 90–180 days)

Triage Steps

1. Confirm receipt (automated acknowledgment)
2. Reproduce: Is the vulnerability real?
   • Yes → Assess severity (CVSS)
   • No → "Invalid" (with justification!)
   • Duplicate → "Duplicate" (Reward: first person, if applicable)
3. Escalate internally to the responsible team
4. Implement fix + test
5. Notify researcher + pay reward
6. Public disclosure (if desired): Report + CVE

Common duplicate issues

• Researchers report the same vulnerability multiple times
• Solution: Fast initial triage (< 48h) reduces duplicates
• "Duplicate" feedback: polite + explanatory

Program Metrics (for improvement)

• Average time to triage
• Average time to fix
• Reward payouts per month/year
• Number of valid reports per month
• CVSS distribution (too many Low = scope too broad?)
• Researcher retention (same researchers returning = good program)