Vulnerabilities / Threats //

Vulnerability Management

05:45 PM
Connect Directly

Online Tools For Bug Disclosure Abound

What's driving the bounty of software vulnerability disclosure offerings today from Bugcrowd, HackerOne, and Synack.

PayPal was one of the pioneers of internal bug bounty programs. But like other companies that have led the curve with in-house programs that pay researchers a fee for finding valid vulnerabilities in their software, the digital payment firm found that running such a program is no easy feat.

"It's very difficult to have enough resources internally to manage the program and match wits with researchers out in the world," says Gus Anagnos, who developed and ran PayPal's two-year-old internal bug program.

Fielding bug submissions as they come in and budgeting for the payments to researchers is challenging. "It's also very difficult to manage researchers and the expectations they have in payment and time to fix," says Anagnos, who left PayPal this year to become vice president of strategy and operations at Synack, a startup offering a vulnerability disclosure program and other security services.

"The reason I joined Synack is that I noticed, even though there's a tremendous amount of value in having bug bounty programs, it's still very difficult to run them internally," he says. "I left PayPal to come to Synack to take a great bug bounty model and create a new model more than the traditional bug bounty program, and to address items that in-house programs have a hard time" addressing.

Synack, like newcomers Bugcrowd and HackerOne, offers companies an online platform for coordinating vulnerability disclosure, a process that traditionally has been conducted via email correspondence. The company hires out a small group of hand-picked outside researchers who provide its vulnerability discovery service.

Anagnos says Synack technically is not a "middleman" nor a bug bounty service. "We provide a technology platform that automates the process" that vetted and trusted security professionals use to find vulnerabilities that only humans can find, he says.

Its outside research team spans 21 countries and consists of members whose day jobs are in academia, government, Google, Facebook, and PayPal.

The social media firm initially launched its own bug bounty program in-house, but it soon began to overwhelm the company's IT staff. "We started receiving bug bounty submissions, and our help desk spent the majority of time validating bugs, which in essence wasn't scalable," says Boris Sverdlik, who worked on the program. Sverdlik is now head of infrastructure security for the digital branding software firm TubeMogul.

"Some researchers were trying to get paid on every hit on our [] API," he recalls. So Tagged solicited Bugcrowd's online bug bounty services to get a grip on the disclosures it was fielding. "Bugcrowd maintains a 'do not test list'… We worked with them to go through the list and block what we don't want to see, and that increased the efficiency of my group. And we were able to offload the validation and auditing."

Vulnerability disclosure has gone through a major transformation over the past five years. For a long time, researchers got either a shout-out or shouted at for their discoveries -- if a vendor even responded at all. Many were threatened with legal action.

The game changer that made bug bounties more of a mainstream phenomenon came last year, when Microsoft, one of the biggest bug bounty holdouts among software vendors, finally threw its hat in the ring with a bugs for bucks program of its own. Katie Moussouris, then senior security strategist at Microsoft, spearheaded the move, joining Facebook, Google, Mozilla, and PayPal, which preceded Microsoft with programs of their own.

Moussouris left Microsoft in May of this year for HackerOne, a startup that spun off a bug bounty project initially funded in part by Microsoft and Facebook. She's now chief policy officer and works alongside former Facebook director of security Alex Rice, who is now CTO of HackerOne. The startup's free online platform automates the vulnerability disclosure process between the researchers who find the bugs and the affected software vendors and websites. HackerOne charges a 20% service charge when a bounty payment is transacted.

"I'm thrilled there is an industry now" for vulnerability disclosure, Moussouris says. "Where the bad guy would find a vulnerability before an organization fixed it, you can now tap into a worldwide pool of security researchers. It's been a very powerful thing."

Microsoft and other firms have data showing "a tapering off" of software flaws after the initial spike when the programs begin, she says. "We've seen this with a number of our customers" at HackerOne.

The biggest misconception is that a vulnerability disclosure program should automatically include a bounty program from the get-go. However, "starting with a bounty" as part of the program "is not the best idea for everyone," she says. "Starting a bounty from the onset may seem like a cool and trendy idea, but if you're not solid in what you're going to do with that process, you're going to have a bad experience."

Firms with a limited software portfolio find it's more straightforward to have the bounty rolled in right away, according to Moussouris, but that's not the case for firms with larger software sets.

For researchers, the new model of online community and for-hire vulnerability disclosure is much less painful -- and often much more lucrative than in the old days. It wasn't long ago that a security researcher could get sued for reporting a vulnerability to a vendor or online business. "It used to be really scary," says one of Bugcrowd's most prolific bug-finders, a researcher who hunts for bugs after his day job at a software firm and asked his name not be published. "Now we won't get sued."

Bugcrowd is a crowdsourced site that also helps organizations set up bug bounty programs online. It offers a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Casey Ellis, co-founder and CEO of Bugcrowd, says the firm charges a fee for any bug bounty payment transactions. "They can use the platform itself and the triage team we have in-house" for free.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
8/29/2014 | 10:27:32 AM
Re: Great step!
I think the pressure's on for companies to pony up with bug bounties. I keep flashing back to Dino Dai Zovi/Charlie Miller/Alexander Sotirov's "No More Free Bugs" banner and meme from a few years ago that started this shift. Overall, there are fewer significant vulns to find in major software, so some bugs are definitely more valuable and bounty-worthy than others. Not all companies are ready for this, obviously, but it's definitely a seismic shift with these free vuln disclosure program tools and online tools for bug bounty programs.
User Rank: Strategist
8/29/2014 | 10:19:20 AM
Re: Great step!
Great story, Kelly! I wonder, though, if the proliferation of bug bounties is eroding the notion of "responsible disclosure" and the revelation of vulnerabilities for the simple reason of protecting users. Do you (and others here) think that tomorrow's security researchers will no longer disclose their findings unless they are properly paid?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
8/27/2014 | 3:33:39 PM
Re: Great step!
A big takeaway here is there are now (free) tools for organizations that want to set up a professional and organized process for fielding security vulnerability reports, as well as a potential avenue for setting up a bug bounty program (for a fee). As for researchers, it's a safe way to report & potentially sell their findings. 
Robert McDougal
Robert McDougal,
User Rank: Ninja
8/27/2014 | 3:13:16 PM
Great step!
This is great news to hear!  In the past, I can remember thinking to myself, should I tell Microsoft about this bug or just keep it to myself.  The fear of being sued was, and in some cases still, very real.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.