Choosing Your Hunting Ground                                                Chapter 2

            Google

            Google's program is expansive, with detailed payout structures and specific instructions for
            classifying different types of bug. Most of the relevant information can be found on the
            rewards section of their Application Security page, but Google also curates a (small) set of
            pentesting tutorials, with specific attention paid to finding the types of bugs and submitting
            the kinds of reports about them that Google wants to receive.

            The articles on Bughunter University and other Google resources have different levels of
            applicability d some of it is just Google's preferences, requirements, and so on d but even
            the more idiosyncratic sections contain best practices and wisdom that can applied to other
            programs and engagements. Other companies might not agree completely with their
            common types of non-qualifying report, but there'll still be substantial overlap, making it a
            useful guide regardless of the vendor.

            In addition to the materials on Bughunter University, Google is responsible for creating and
            maintaining a lot of great instructional applications. We'll be using one, Google Gruyere
            (IUUQT   HPPHMF HSVZFSF BQQTQPU DPN ), as part of our chapter on XSS and you can find
            other great resources from Google in the other tools section at the end of the book.


            Facebook

            Facebook has a bug bounty program with a minimum payout of $500, but as the very direct
            language in their responsible disclosure policy attests, they do not tolerate mucking about
            with production data: if you comply with the policies when reporting a security issue to
            Facebook, they will not initiate a lawsuit or law enforcement investigation against you in
            response to your report.

            The amount of information available for their program is minimal. You'll find a side-by-
            side example of a submission report and an improved version, with some non-qualifying
            vulnerabilities, but not much in the way of universal lessons or professional tips.

            As the legalese signals, Facebook is very sensitive to misuse of its platform d especially
            given recent increased scrutiny. And because so many exploits will be aimed at affecting
            users, it's critical to stop short of writing any code that could subvert an account.












                                                    [ 21 ]