Application Security

6/1/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Open Bug Bounty Offers Free Program For Websites

Non-profit says it will triage and verify certain kinds of Web vulnerability submissions at no cost for those who sign up.

Open Bug Bounty, a not-for-profit organization that since 2014 has been helping security researchers report vulnerabilities to organizations in a coordinated manner, has added a new wrinkle to crowdsourced bug hunting.

Any verified website owner or operator can launch now a formal bug bounty program for their sites at no cost via Open Bug Bounty. The independent security researchers behind the coordinated vulnerability disclosure platform will triage and vet — for free — all vulnerability submissions that do not require intrusive testing. This includes cross site scripting (XSS) flaws, cross site request forgery (CSRF), and access control errors.

When a security researcher reports such a vulnerability to Open Bug Bounty, the researchers there will verify if it is indeed an issue and then notify the relevant website owners about it so disclosure and remediation steps can be taken. Website owners can then decide if they want to award bounties for valid vulnerability submissions and to set the award amounts.

"The world is changing, and we are happy to announce that Open Bug Bounty now allows creating your own bug bounty program for free," the operators of the platform announced recently. "Following our fundamental principles of coordinated disclosure, ethical and non-intrusive testing, we will do triage of XSS, CSRF and some other vulnerabilities at no cost."

The nonprofit currently does not accept any vulnerability submissions that can only be verified through intrusive testing, such as SQL injection flaws. But organizations willing to let security researchers hunt for these types of OWASP Top 10 flaws on their websites can indicate this when subscribing for the bug bounty program. However, they will need to provide security researchers with alternative forms of communication that does not involve Open Bug Bounty.

Open Bug Bounty did not respond to requests seeking more comment on the program. But on its website, the operators of the platform said they had no financial or commercial interest in the project. "Moreover we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions," the website noted.

Managed bug bounty programs are by no means new. Organizations like HackerOne and Bugcrowd have over the past few years helped thousands of small, medium, and large organizations run bug bounty programs. Their model of using crowdsourced security researchers to find and report vulnerabilities in customer websites and applications has proven quite popular considering the amount of enterprise and investor interest the organizations have attracted.

Low-Budget Option

Open Bug Bounty's program appears designed to be a free — and somewhat scaled down —version of such bug bounty programs. In other words, organizations do not have to pay anything for having someone else coordinate vulnerability submissions for them.

How well it will work remains an open question. Since the platform launched in June 2014, Open Bug Bounty claims its community of independent security researchers has helped organizations fix over 119,000 flaws.

"It originally helped researchers report vulnerabilities to organizations that may not have formal, public or easy-to-find channels for vulnerability disclosure," says Michiel Prins, co-founder of HackerOne. They basically have been offering limited verification as part of the reporting coordination process, he says.

The free bug bounty program that Open Bug Bounty launched this week is more of a free vulnerability disclosure program unless organizations actually offer bounties, he says.

"[But] opening public programs with or without monetary incentives can have a firehose effect on a security team," he cautions. "Offering monetary incentives to encourage hacker participation can result in an overwhelming number of bug reports if the organization isn’t ready to handle or keep up with inbound reports," Prins says. 

Without managed services and triage offerings, it's difficult to control that fire hose and ensure that a program is successful rather than a hindrance, he says.

Even so, Ilia Kolochenko, CEO of High-Tech Bridge, sees the new initiative as being helpful especially for small- and midsized enterprises, and for security researchers as well. "I think everyone would benefit at the end of the day: researchers, website owners, and their clients."

Scalability can become bit of an issue for Open Bug Bounty if hundreds or thousands of websites begin taking up the free bug bounty hunting offer, Kolochenko concedes. "But so far it seems that the Open Bug Bounty project has been continuously growing and apparently [hasn't had] any issues," he says. "I think the community will find its way."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
luciferwinget
50%
50%
luciferwinget,
User Rank: Apprentice
6/4/2018 | 5:32:38 AM
support
it is an interesting post. from this post, I gain my knowledge, if you want more then you can go through iTunes support
New Bluetooth Hack Affects Millions of Vehicles
Dark Reading Staff 11/16/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19406
PUBLISHED: 2018-11-21
kvm_pv_send_ipi in arch/x86/kvm/lapic.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where the apic map is uninitialized.
CVE-2018-19407
PUBLISHED: 2018-11-21
The vcpu_scan_ioapic function in arch/x86/kvm/x86.c in the Linux kernel through 4.19.2 allows local users to cause a denial of service (NULL pointer dereference and BUG) via crafted system calls that reach a situation where ioapic is uninitialized.
CVE-2018-19404
PUBLISHED: 2018-11-21
In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url= ...
CVE-2018-19387
PUBLISHED: 2018-11-20
format_cb_pane_tabs in format.c in tmux 2.7 through 2.8 might allow attackers to cause a denial of service (NULL Pointer Dereference and application crash) by arranging for a malloc failure.
CVE-2018-19388
PUBLISHED: 2018-11-20
FoxitReader.exe in Foxit Reader 9.3.0.10826 allows remote attackers to cause a denial of service (out-of-bounds read, access violation, and application crash) via TIFF data because of a ConvertToPDF_x86!ReleaseFXURLToHtml issue.