A new venture

Paper by Timothy Libert.

Abstract:

“This article provides a quantitative analysis of privacy compromising mechanisms on one million popular websites. Findings indicate that nearly nine in ten websites leak user data to parties of which the user is likely unaware of; over six in ten websites spawn third-party cookies; and over eight in ten websites load Javascript code from external parties onto users’ computers. Sites which leak user data contact an average of nine external domains, indicating users may be tracked by multiple entities in tandem. By tracing the unintended disclosure of personal browsing histories on the web, it is revealed that a handful of American companies receive the vast bulk of user data. Finally, roughly one in five websites are potentially vulnerable to known NSA spying techniques at the time of analysis.”

I’ve put together a quick script that can be used to check if URL is compliant with app transport security:

http://www.whatsbeef.net/wabz/appts.php?url=https://facebook.com

By: Ramses Martinez, Senior Director, Interim CISO

2015 has been a pivotal year for the Yahoo Bug Bounty program. Our community engagement is at an all time high and our team is able to triage and fix bugs faster than ever. In the last year, the program evolved from a community sourced method of finding vulnerabilities to a key component of our application security program. One great example is how our Bug Bounty has become a feedback loop to determine the effectiveness of our application security controls. Our team uses each vulnerability report as a way to measure the impact of our developer training, effectiveness of scanning tools, and efficacy of source code reviews. This approach, over time, will lead to more secure applications and more secure Yahoo users.  

Below are some key data points from our Bug Bounty program to date, which we’ll continue to update to help the security community understand the efficacy of this work and help focus research in this space:

To date, we’ve paid out +$1M to security vulnerability reporters.

Submissions since the inception of the program have now reached the 10,000 mark.

Approximately 1,500 of these 10,000 reports have resulted in a bounty payout.

The current monthly validity rate of submissions is around 15%, an increase from 10% at the end of 2014.

More than 1,800 reporters have participated in the program, about 600 of these have reported verifiable bugs.

50% of the submissions are from the top 6% set of contributors 

87% of researchers submit less than 10 bugs, this equates to about 34% of all submissions.

A major improvement to our Bug Bounty program has been the implementation of a reputation system. This process is designed to award points to researchers after reporting a verifiable security bug. The number of points is also affected by the amount of the bounty the reporter is paid.  

The reputation system has made our list of top vulnerability reporters more meaningful by illustrating not only the number of reports they have submit, but the severity value we assigned to each. The reputation system also gives researchers a quantifiable way to compare their skills with the rest of the participants in the program.

Our Bug Bounty program would be nothing without our amazing, and dedicated, contributors. An example of one of these individuals is Sean Melia, our top contributor in 2015: https://hackerone.com/meals. I recently had a chance to speak with Sean and asked what motivated him to do vulnerability research, he answered:

“The aspect of solving a puzzle or reaching a goal has always been something I strive to do. I started on a whim and after enough determination I was able to find some interesting bugs that were worth my time and investment. I hope bug bounty programs continue to expand and improve since it’s a great opportunity for corporations and security researchers to work together.”

From the introduction to the complaint: