Story image

Not-for-profit Bug Bounty project surpasses major milestone

23 Feb 18

The Open Bug Bounty project has reached 100,000 fixed vulnerabilities and is showing no signs of slowing down.

At the time of publication, the official count was over 101,000 as the not-for-profit group continues its relentless and honourable goal of making the web a safer place.

Open Bug Bounty accepts only CSRF and XSS vulnerabilities that – unless maliciously exploited in the open web – can’t harm the website or its users.

This enables security researchers to ethically report and help in patching security vulnerabilities on any websites even without a formal bug bounty.

High-Tech Bridge CEO Ilia Kolochenko says it’s good to see venerable projects like Open Bug Bounty succeed.

"Crowd security testing and bug bounties are an emerging market that can bring a lot of exciting opportunities both to the researchers and companies. Sustainability and economical practicality of some bounty programs can be questioned, however Open Bug Bounty's 100,000 fixed vulnerabilities speak for themselves,” says Kolochenko.

“I think there is a niche for good-faith researchers and SMEs or NGOs that lack resources to regularly buy penetration testing services, let alone run a full-scale bounty program.”

Open Bug Bounty began life as an XSS archive in 2014 and since then has grown into a coordinated disclosure and open bug bounty platform.  The full transparent and underlying non-profit concept of Open Bug Bounty is confounding to some given the ludicrous amounts of money that is raised on other paid bug bounty platforms.

The project’s involvement in the vulnerability disclosure and remediation process is limited to just vulnerability verification and prompt notification to the website owner. Details are not allowed to be disclosed publicly before 90 days after the notification.

Once website owners are aware of the vulnerability then Open Bug Bounty’s job is done – any further contacts with the researcher is up to the owners, who have no obligation to pay the security researchers – but are advised by Open Bug Bounty to at least say a thank you for the researchers’ time.

Average bounty payments are significantly lower when compared to Google or Facebook XSS’s payments, but some researchers do get four digit awards from grateful website owners as well as written recommendations, books, gadgets, branded gifts or even cakes.

Kolochenko says while bug bountys do an outstanding job of locating vulnerabilities, website owners should still be protecting themselves in other ways.

“One should, however, keep in mind that any crowd security testing can never substitute a mature application security program, with SDLC, DevSecOps and continuous security monitoring,” says Kolochenko.

“Auxiliary technologies, such as Web Application Firewalls, should also be implemented and maintained to enable proactive security.”

SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Verifi takes spot in Deloitte Asia Pacific Fast 500
"An increasing amount of companies captured by New Zealand’s Anti-Money laundering legislation are realising that an electronic identity verification solution can streamline their customer onboarding."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.