sb-eu logo
Story image

Not-for-profit Bug Bounty project surpasses major milestone

23 Feb 2018

The Open Bug Bounty project has reached 100,000 fixed vulnerabilities and is showing no signs of slowing down.

At the time of publication, the official count was over 101,000 as the not-for-profit group continues its relentless and honourable goal of making the web a safer place.

Open Bug Bounty accepts only CSRF and XSS vulnerabilities that – unless maliciously exploited in the open web – can’t harm the website or its users.

This enables security researchers to ethically report and help in patching security vulnerabilities on any websites even without a formal bug bounty.

High-Tech Bridge CEO Ilia Kolochenko says it’s good to see venerable projects like Open Bug Bounty succeed.

"Crowd security testing and bug bounties are an emerging market that can bring a lot of exciting opportunities both to the researchers and companies. Sustainability and economical practicality of some bounty programs can be questioned, however Open Bug Bounty's 100,000 fixed vulnerabilities speak for themselves,” says Kolochenko.

“I think there is a niche for good-faith researchers and SMEs or NGOs that lack resources to regularly buy penetration testing services, let alone run a full-scale bounty program.”

Open Bug Bounty began life as an XSS archive in 2014 and since then has grown into a coordinated disclosure and open bug bounty platform.  The full transparent and underlying non-profit concept of Open Bug Bounty is confounding to some given the ludicrous amounts of money that is raised on other paid bug bounty platforms.

The project’s involvement in the vulnerability disclosure and remediation process is limited to just vulnerability verification and prompt notification to the website owner. Details are not allowed to be disclosed publicly before 90 days after the notification.

Once website owners are aware of the vulnerability then Open Bug Bounty’s job is done – any further contacts with the researcher is up to the owners, who have no obligation to pay the security researchers – but are advised by Open Bug Bounty to at least say a thank you for the researchers’ time.

Average bounty payments are significantly lower when compared to Google or Facebook XSS’s payments, but some researchers do get four digit awards from grateful website owners as well as written recommendations, books, gadgets, branded gifts or even cakes.

Kolochenko says while bug bountys do an outstanding job of locating vulnerabilities, website owners should still be protecting themselves in other ways.

“One should, however, keep in mind that any crowd security testing can never substitute a mature application security program, with SDLC, DevSecOps and continuous security monitoring,” says Kolochenko.

“Auxiliary technologies, such as Web Application Firewalls, should also be implemented and maintained to enable proactive security.”

Story image
Illumio launches Zero Trust endpoint protection solution for our digital, remote world
“As organisations were forced to transform overnight to allow for remote work, a host of endpoint security issues that have either been ignored or invisible until now were brought to the forefront."More
Story image
Remote working trend bolsters cybersecurity investment - but downturn predicted
A new report from Canalys indicates investment in cybersecurity has increased 9.7% - but worsening economic conditions could turn the statistic around.More
Story image
Why DX is not complete without a transformed security architecture
Secure Access Services Edge (SASE) is the process by which core WAN edge capabilities like SD-WAN, routing, and WAN optimisation at branch locations are integrated with cloud-based security services like secure web gateways, firewall-as-a-service, cloud access security brokers, and more.More
Story image
State-based cyber attack targeting Australian government and businesses
Prime Minister Scott Morrison told media on Friday morning that a 'malicious' attack by a state-based cyber actor is underway in the country.More
Story image
NCC Group chosen to help improve IoT security standards for all sectors
“At NCC Group, security is in our DNA and that's why we're excited to work with the ioXt Alliance in raising security standards within the IoT ecosystem."More
Story image
MEF grants 3.0 SD-WAN certification to Fortinet
MEF has recently certified Fortinet’s Secure SD-WAN offering as being able to support MEF 3.0 SD-WAN services.More