Story image

Not-for-profit Bug Bounty project surpasses major milestone

23 Feb 18

The Open Bug Bounty project has reached 100,000 fixed vulnerabilities and is showing no signs of slowing down.

At the time of publication, the official count was over 101,000 as the not-for-profit group continues its relentless and honourable goal of making the web a safer place.

Open Bug Bounty accepts only CSRF and XSS vulnerabilities that – unless maliciously exploited in the open web – can’t harm the website or its users.

This enables security researchers to ethically report and help in patching security vulnerabilities on any websites even without a formal bug bounty.

High-Tech Bridge CEO Ilia Kolochenko says it’s good to see venerable projects like Open Bug Bounty succeed.

"Crowd security testing and bug bounties are an emerging market that can bring a lot of exciting opportunities both to the researchers and companies. Sustainability and economical practicality of some bounty programs can be questioned, however Open Bug Bounty's 100,000 fixed vulnerabilities speak for themselves,” says Kolochenko.

“I think there is a niche for good-faith researchers and SMEs or NGOs that lack resources to regularly buy penetration testing services, let alone run a full-scale bounty program.”

Open Bug Bounty began life as an XSS archive in 2014 and since then has grown into a coordinated disclosure and open bug bounty platform.  The full transparent and underlying non-profit concept of Open Bug Bounty is confounding to some given the ludicrous amounts of money that is raised on other paid bug bounty platforms.

The project’s involvement in the vulnerability disclosure and remediation process is limited to just vulnerability verification and prompt notification to the website owner. Details are not allowed to be disclosed publicly before 90 days after the notification.

Once website owners are aware of the vulnerability then Open Bug Bounty’s job is done – any further contacts with the researcher is up to the owners, who have no obligation to pay the security researchers – but are advised by Open Bug Bounty to at least say a thank you for the researchers’ time.

Average bounty payments are significantly lower when compared to Google or Facebook XSS’s payments, but some researchers do get four digit awards from grateful website owners as well as written recommendations, books, gadgets, branded gifts or even cakes.

Kolochenko says while bug bountys do an outstanding job of locating vulnerabilities, website owners should still be protecting themselves in other ways.

“One should, however, keep in mind that any crowd security testing can never substitute a mature application security program, with SDLC, DevSecOps and continuous security monitoring,” says Kolochenko.

“Auxiliary technologies, such as Web Application Firewalls, should also be implemented and maintained to enable proactive security.”

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.