Application Security

6/1/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Open Bug Bounty Offers Free Program For Websites

Non-profit says it will triage and verify certain kinds of Web vulnerability submissions at no cost for those who sign up.

Open Bug Bounty, a not-for-profit organization that since 2014 has been helping security researchers report vulnerabilities to organizations in a coordinated manner, has added a new wrinkle to crowdsourced bug hunting.

Any verified website owner or operator can launch now a formal bug bounty program for their sites at no cost via Open Bug Bounty. The independent security researchers behind the coordinated vulnerability disclosure platform will triage and vet — for free — all vulnerability submissions that do not require intrusive testing. This includes cross site scripting (XSS) flaws, cross site request forgery (CSRF), and access control errors.

When a security researcher reports such a vulnerability to Open Bug Bounty, the researchers there will verify if it is indeed an issue and then notify the relevant website owners about it so disclosure and remediation steps can be taken. Website owners can then decide if they want to award bounties for valid vulnerability submissions and to set the award amounts.

"The world is changing, and we are happy to announce that Open Bug Bounty now allows creating your own bug bounty program for free," the operators of the platform announced recently. "Following our fundamental principles of coordinated disclosure, ethical and non-intrusive testing, we will do triage of XSS, CSRF and some other vulnerabilities at no cost."

The nonprofit currently does not accept any vulnerability submissions that can only be verified through intrusive testing, such as SQL injection flaws. But organizations willing to let security researchers hunt for these types of OWASP Top 10 flaws on their websites can indicate this when subscribing for the bug bounty program. However, they will need to provide security researchers with alternative forms of communication that does not involve Open Bug Bounty.

Open Bug Bounty did not respond to requests seeking more comment on the program. But on its website, the operators of the platform said they had no financial or commercial interest in the project. "Moreover we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions," the website noted.

Managed bug bounty programs are by no means new. Organizations like HackerOne and Bugcrowd have over the past few years helped thousands of small, medium, and large organizations run bug bounty programs. Their model of using crowdsourced security researchers to find and report vulnerabilities in customer websites and applications has proven quite popular considering the amount of enterprise and investor interest the organizations have attracted.

Low-Budget Option

Open Bug Bounty's program appears designed to be a free — and somewhat scaled down —version of such bug bounty programs. In other words, organizations do not have to pay anything for having someone else coordinate vulnerability submissions for them.

How well it will work remains an open question. Since the platform launched in June 2014, Open Bug Bounty claims its community of independent security researchers has helped organizations fix over 119,000 flaws.

"It originally helped researchers report vulnerabilities to organizations that may not have formal, public or easy-to-find channels for vulnerability disclosure," says Michiel Prins, co-founder of HackerOne. They basically have been offering limited verification as part of the reporting coordination process, he says.

The free bug bounty program that Open Bug Bounty launched this week is more of a free vulnerability disclosure program unless organizations actually offer bounties, he says.

"[But] opening public programs with or without monetary incentives can have a firehose effect on a security team," he cautions. "Offering monetary incentives to encourage hacker participation can result in an overwhelming number of bug reports if the organization isn’t ready to handle or keep up with inbound reports," Prins says. 

Without managed services and triage offerings, it's difficult to control that fire hose and ensure that a program is successful rather than a hindrance, he says.

Even so, Ilia Kolochenko, CEO of High-Tech Bridge, sees the new initiative as being helpful especially for small- and midsized enterprises, and for security researchers as well. "I think everyone would benefit at the end of the day: researchers, website owners, and their clients."

Scalability can become bit of an issue for Open Bug Bounty if hundreds or thousands of websites begin taking up the free bug bounty hunting offer, Kolochenko concedes. "But so far it seems that the Open Bug Bounty project has been continuously growing and apparently [hasn't had] any issues," he says. "I think the community will find its way."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
luciferwinget
50%
50%
luciferwinget,
User Rank: Apprentice
6/4/2018 | 5:32:38 AM
support
it is an interesting post. from this post, I gain my knowledge, if you want more then you can go through iTunes support
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...