Presentation Material
Abstract
A large part of the internet relies on open source software, hence securing the open source ecosystem becomes more important than ever. The talk will offer insights into HackerOne programs which include code bases of open source software in scope. We will provide brief insights about how to approach open source targets on HackerOne. Lastly, we will provide an introduction to IBB, cover open source projects which are part of IBB, the reporting process to get rewarded via IBB, and a brief overview of some recent interesting bugs paid through IBB.
AI Generated Summary
The talk addresses the security of open source software through community-driven bug bounty programs. It argues that open source components form a critical and growing part of the digital attack surface, necessitating dedicated security efforts beyond traditional dynamic application testing.
A methodology for auditing open source projects is presented, emphasizing a shift from broad reconnaissance to deep, project-specific source code analysis. Key preparatory steps include selecting a target from platforms like HackerOne (filtered by source code), establishing a capable code editor (e.g., VS Code) with strong regex search, and building a custom threat model for the project. The speaker stresses that manual code reading is irreplaceable and that understanding the project’s functionality and user roles is essential to identify high-risk boundaries like authentication, serialization, and third-party integrations.
Technical techniques combine static analysis (SAST) tools—such as CodeQL, LGTM, Brakeman, SpotBugs, and cppcheck—with targeted manual review. SAST is useful for large codebases but suffers from false positives and cannot detect business logic flaws. Manual review should be guided by metadata like code age, complexity, and historical bug-prone contributors. The talk highlights that vulnerability patterns can be learned by examining past security patches in the project’s pull requests.
The Internet Bug Bounty (IBB) is introduced as a key initiative to fund open source security. It pools contributions from corporate sponsors (e.g., Figma, Facebook) to reward researchers. The process requires a finder to report a vulnerability directly to the project maintainer; after the project triages, fixes, and publishes a security advisory (CVE or otherwise), the finder claims a reward from IBB. The bounty is split 80% to the researcher and 20% to the project maintainers to support remediation efforts. Current in-scope projects include Electron, Node.js, and Apache Foundation projects.
Practical implications are that numerous open source programs offer bug bounties on platforms like HackerOne. Researchers should build strong foundational skills in code review and a specific programming language before targeting complex open source projects. The IBB provides a sustainable financial model for securing widely used shared libraries.