Interview with Daniel Stenberg: His thoughts on the Curl Bug Bounty Program

  • 133
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    134
    Shares

Curl is the most popular, open source command line tool and library for transferring data with URLs. It is also used in cars, television sets, routers, printers, audio equipment, mobile phones, tablets, settop boxes, media players and is the internet transfer backbone for thousands of software applications affecting billions of humans daily.

It is so popular and convenient that it’s even used in high end cars as mentioned in the following article written HERE.

What’s Significance of Security in Curl and the Curl Bug Bounty Program as a whole?

The article referenced above gives insight into the huge user base, which is nearly a whopping 100 million cars that run curl and a few million web applications running it, also if you are reading this article and you are a PHP developer you must be accustomed to how you need curl in building quality web applications in order to facilitate different functionalities in your application. This again means that a single serious security vulnerability in curl might destroy huge infrastructure-based applications and put at risk millions of end-users who are using curl or, it’s implementation using it’s library functions.

A single serious vulnerability, for example a Remote Code Execution found in this software and a subsequent mass-scale exploit executed successfully by skilled attackers can unleash a havoc. To help prevent this and combat with these problems arising out of security issues, in the interest of the Open Source Community using this software, Daniel Stenberg, curl’s maker has launched a Bug Bounty programas he mentioned in this tweet.

This might offer upto $500(or, the entire amount sponsored by supporters) to qualified security researchers who submit a valid security vulnerability as in scope with their program. Thus, this stands out as a great move since, security researchers will be compensated adequately for their contributions to maintain security in Curl, which can effectively prevent them from selling these exploits or, exploiting them for evil personal gains as well as aid in hardening the software security.

About the Curl Bug Bounty Program

Earlier, IBB on Hackerone used to pay out at its discretion for critical Vulnerabilities in libcurl but now, things have changed a little and Curl wishes to have its own unique bug bounty program and reward researchers to the best tune possible.

Currently the assets in scope are it’s public git repo –
https://github.com/curl/curl

Scope/classes of vulnerabilites for which bounties would be rewarded:

  • Stack overflows
  • Heap memory corruption
  • Information leaks
  • Authentication bypasses
  • Denial of Service vectors
  • other serious vulnerabilities

Exclusions

The following is considered out of scope and will not receive a bounty

  • Social engineering (including phishing) or physical attacks
  • minor flaws or mistakes that do not have a security impact.

The curl security team will determine whether a reported issue is considered a security vulnerability and give it a security rating of Low, Moderate, High, or Critical based on its ease of exploitation, resulting attacker control, and commonality of required configuration.

The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on curl’s final assessment of the bug.

Only flaws that are still present in the latest versions of curl are eligible for bounty submissions, so one needs to ensure that his exploit is still present before one submits his bounty.

Benefits to the Bug Hunter Community

That being said, it’s a great program to invest your time in if you are a bug hunter or, a security researcher or, a developer who uses curl and can manage to spend some time to look into it’s inner workings to spot security flaws in it.

Interview with the maker of Curl, Daniel Stenberg

Q: You have launched a self-managed bug bounty program for the first
time. Earlier, IBB used to pay out for most security issues in libcurl. How do
you think the idea of self-management of a bug bounty program, which has some
obvious problems such as active funding might eventually succeed?

First, this bounty program is run on bountygraph.com so I wouldn't call it
"self-managed" since we're standing on a lot of infra setup and handled by
others.

To me, this is an attempt to make a bounty program that is more visible as
clearly a curl bounty program. I love hackerone and the IBB program for what
they offer, but it is -

A) very generic, so the fact that you can get money for curl flaws there is not easy to figure out and there's no obvious way for
companies to sponsor curl security research and.

B) they are very picky to which flaws they pay money for ("only critical flaws") 
and I hope this program can be a little more accommodating - assuming we get sponsors of course.

Will it work and make any differences compared to IBB? I don't know. We will 
just have to see how it plays out.

Q: How do you think the crowdsourcing model is going to help this bug bounty
program?

It's crucial. If nobody sponsors this program, there will be no money to do
payouts with and without payouts there are no bounties. Then I'd call the curl
bounty program a failure. But we're also not in a hurry. We can give this some
time to see how it works out.

My hope is though that because curl is such a widely used component, we will
get sponsors interested in helping out.

Q: What would be the maximum reward for most critical a.k.a. P0 security
vulnerabilities for this program?

Right now we have a total of 500 USD to hand out. If you report a p0 bug now,
I suppose you'll get that. If we just get sponsors, I'm hoping we should be
able to raise that reward level significantly. I might be very naive, but I
think we won't have to pay for very many critical flaws.

It goes back to the previous question: this model will only work if we get
sponsors.

Q: Do you feel there’s a risk that bounty hunters could turn malicious?

I don't think this bounty program particular increases or reduces that risk to
any significant degree.  Malicious hunters probably already exist and I would
assume that blackhat researchers might be able to extract more money on the
less righteous markets if they're so inclined. I don't think we can "outbit"
such buyers with this program.

Q: How will this new program mutually benefit security researchers as well as
the open source community around curl as a whole?

Again, assuming that this works out...

Researchers can get compensated for the time and efforts they spend helping
the curl project to produce and provide a more secure product to the world.

curl is used by virtually every connected device in the world in one way or
another, affecting every human in the connected world on a daily basis. By
making sure curl is secure we keep users safe; users of countless devices,
applications and networked infrastructure.

 

The following two tabs change content below.
Independent Security Researcher and Consultant who loves to tinker with and sometimes break stuff in the process of doing so. Broke stuff and got paid by Google, appeared on Google HoF then Alibaba, Smartsheet, Asana and dozens of other top companies. Manages Andmp in his spare time. Catch me on HackTheBox

Md Arif Khan

Independent Security Researcher and Consultant who loves to tinker with and sometimes break stuff in the process of doing so. Broke stuff and got paid by Google, appeared on Google HoF then Alibaba, Smartsheet, Asana and dozens of other top companies. Manages Andmp in his spare time. Catch me on HackTheBox

Leave a Reply