SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Not-for-profit Bug Bounty project surpasses major milestone
Fri, 23rd Feb 2018
FYI, this story is more than a year old

The Open Bug Bounty project has reached 100,000 fixed vulnerabilities and is showing no signs of slowing down.

At the time of publication, the official count was over 101,000 as the not-for-profit group continues its relentless and honourable goal of making the web a safer place.

Open Bug Bounty accepts only CSRF and XSS vulnerabilities that – unless maliciously exploited in the open web – can't harm the website or its users.

This enables security researchers to ethically report and help in patching security vulnerabilities on any websites even without a formal bug bounty.

High-Tech Bridge CEO Ilia Kolochenko says it's good to see venerable projects like Open Bug Bounty succeed.

"Crowd security testing and bug bounties are an emerging market that can bring a lot of exciting opportunities both to the researchers and companies. Sustainability and economical practicality of some bounty programs can be questioned, however Open Bug Bounty's 100,000 fixed vulnerabilities speak for themselves,” says Kolochenko.

“I think there is a niche for good-faith researchers and SMEs or NGOs that lack resources to regularly buy penetration testing services, let alone run a full-scale bounty program.

Open Bug Bounty began life as an XSS archive in 2014 and since then has grown into a coordinated disclosure and open bug bounty platform.  The full transparent and underlying non-profit concept of Open Bug Bounty is confounding to some given the ludicrous amounts of money that is raised on other paid bug bounty platforms.

The project's involvement in the vulnerability disclosure and remediation process is limited to just vulnerability verification and prompt notification to the website owner. Details are not allowed to be disclosed publicly before 90 days after the notification.

Once website owners are aware of the vulnerability then Open Bug Bounty's job is done – any further contacts with the researcher is up to the owners, who have no obligation to pay the security researchers – but are advised by Open Bug Bounty to at least say a thank you for the researchers' time.

Average bounty payments are significantly lower when compared to Google or Facebook XSS's payments, but some researchers do get four digit awards from grateful website owners as well as written recommendations, books, gadgets, branded gifts or even cakes.

Kolochenko says while bug bountys do an outstanding job of locating vulnerabilities, website owners should still be protecting themselves in other ways.

“One should, however, keep in mind that any crowd security testing can never substitute a mature application security program, with SDLC, DevSecOps and continuous security monitoring,” says Kolochenko.

“Auxiliary technologies, such as Web Application Firewalls, should also be implemented and maintained to enable proactive security.