Story image

Not-for-profit Bug Bounty project surpasses major milestone

23 Feb 2018

The Open Bug Bounty project has reached 100,000 fixed vulnerabilities and is showing no signs of slowing down.

At the time of publication, the official count was over 101,000 as the not-for-profit group continues its relentless and honourable goal of making the web a safer place.

Open Bug Bounty accepts only CSRF and XSS vulnerabilities that – unless maliciously exploited in the open web – can’t harm the website or its users.

This enables security researchers to ethically report and help in patching security vulnerabilities on any websites even without a formal bug bounty.

High-Tech Bridge CEO Ilia Kolochenko says it’s good to see venerable projects like Open Bug Bounty succeed.

"Crowd security testing and bug bounties are an emerging market that can bring a lot of exciting opportunities both to the researchers and companies. Sustainability and economical practicality of some bounty programs can be questioned, however Open Bug Bounty's 100,000 fixed vulnerabilities speak for themselves,” says Kolochenko.

“I think there is a niche for good-faith researchers and SMEs or NGOs that lack resources to regularly buy penetration testing services, let alone run a full-scale bounty program.”

Open Bug Bounty began life as an XSS archive in 2014 and since then has grown into a coordinated disclosure and open bug bounty platform.  The full transparent and underlying non-profit concept of Open Bug Bounty is confounding to some given the ludicrous amounts of money that is raised on other paid bug bounty platforms.

The project’s involvement in the vulnerability disclosure and remediation process is limited to just vulnerability verification and prompt notification to the website owner. Details are not allowed to be disclosed publicly before 90 days after the notification.

Once website owners are aware of the vulnerability then Open Bug Bounty’s job is done – any further contacts with the researcher is up to the owners, who have no obligation to pay the security researchers – but are advised by Open Bug Bounty to at least say a thank you for the researchers’ time.

Average bounty payments are significantly lower when compared to Google or Facebook XSS’s payments, but some researchers do get four digit awards from grateful website owners as well as written recommendations, books, gadgets, branded gifts or even cakes.

Kolochenko says while bug bountys do an outstanding job of locating vulnerabilities, website owners should still be protecting themselves in other ways.

“One should, however, keep in mind that any crowd security testing can never substitute a mature application security program, with SDLC, DevSecOps and continuous security monitoring,” says Kolochenko.

“Auxiliary technologies, such as Web Application Firewalls, should also be implemented and maintained to enable proactive security.”

Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.