Hack-a-thon Finds 220 Bugs in Facebook, Google, Etsy

What do you get when you put some hackers in a room and give them a list of target Websites? They go bug-hunting!
That was what happened at Bug Bash 2013, an "internet-wide hack-a-thon" run by Bugcrowd at the AppSec USA conference in New York earlier this week. Approximately 80 people participated over the course of three evenings, and "hundreds" participated remotely over the Internet, said Casey John Ellis, founder and CEO of Bugcrowd. Participants submitted the bugs they identified to Bugcrowd, and the team replicated the conditions leading up to the error to confirm the issue.
The list of targets included companies like Facebook, Google, Etsy, Prezi, and Yandex. The security testers who took part identified over 220 bugs, Ellis said. For the most part, the issues were of the mundane run-of-the-mill variety, including some injection and bypass vulnerabilities.
"I haven't heard about any exotic vulnerabilities, yet, but we are still analyzing our data," Ellis said.
Bugcrowd plans to release more details about the type of bugs uncovered and information about the event at a later date. The San Francisco-based startup runs programs where groups of people work together to find bugs in Websites and applications. Once it confirms that the bugs being reported are legitimate, it handles the process of notifying appropriate vendors.
Bug Bounties
Bug bounty programs are increasingly becoming popular, as companies encourage researchers to submit bug reports to them directly, instead of selling them to the government or offering them to exploit brokers. Not reporting the bug to the vendor means that buyer can use these vulnerabilities for their own purposes and leaves users unprotected from that software flaw.
Mozilla and Google probably have the best known bug bounty programs, but many other companies now offer some kind of a program (a long, but not complete, list is here). Facebook announced in August that it had paid out a million dollars in bounties over the past two years.
Not all bugs qualify for these programs. For example, Facebook makes it clear their program covers only issues that could "could compromise the integrity of Facebook user data, circumvent the privacy protections of Facebook user data, or enable access to a system within the Facebook infrastructure." Microsoft launched a series of prizes recently and was very specific in the kind of issues it was looking for.
Bug Bash 2013
It's hard to estimate at this point how much the bugs uncovered as part of Bug Bash are worth in total, since bug bounty programs vary so widely in how much they pay. Some programs pay several hundred dollars and others pay several thousand dollars. It's also important to note that each company has specific rules about what they recognize as a bug and what types of issues are covered under the bug bounty program.
Even though 220 bugs were submitted, it's up to the vendor to decide whether the issues qualified for a payout. And even if there is a payout, it's also up to the vendor to decide the amount. However, even if every single one of the 200+ bugs are worth only a few hundred dollars, that isn't bad for a few hours of work over three days.
Facebook representatives were even on hand during the events to give insights into their bug bounty programs as well as to answer questions from the participants.
People who had been in training sessions learning about different techniques were stopping by to take part in the group-hack, said Tom Brennan, a board member for OWASP Foundation and one of the organizers for AppSec USA. People were collaborating while working on targets and asking for help from each other. Finding bugs is not an automated process as it really requires people to think about what they are seeing and adjusting their techniques accordingly. A collaborative environment where people can bounce ideas off each other can be "very effective" for bug-hunting, Brennan said.