Open Bug Bounty, a not-for-profit organization that since 2014 has been helping security researchers report vulnerabilities to organizations in a coordinated manner, has added a new wrinkle to crowdsourced bug hunting.
Any verified website owner or operator can launch now a formal bug bounty program for their sites at no cost via Open Bug Bounty. The independent security researchers behind the coordinated vulnerability disclosure platform will triage and vet — for free — all vulnerability submissions that do not require intrusive testing. This includes cross site scripting (XSS) flaws, cross site request forgery (CSRF), and access control errors.
When a security researcher reports such a vulnerability to Open Bug Bounty, the researchers there will verify if it is indeed an issue and then notify the relevant website owners about it so disclosure and remediation steps can be taken. Website owners can then decide if they want to award bounties for valid vulnerability submissions and to set the award amounts.
"The world is changing, and we are happy to announce that Open Bug Bounty now allows creating your own bug bounty program for free," the operators of the platform announced recently. "Following our fundamental principles of coordinated disclosure, ethical and non-intrusive testing, we will do triage of XSS, CSRF and some other vulnerabilities at no cost."
The nonprofit currently does not accept any vulnerability submissions that can only be verified through intrusive testing, such as SQL injection flaws. But organizations willing to let security researchers hunt for these types of OWASP Top 10 flaws on their websites can indicate this when subscribing for the bug bounty program. However, they will need to provide security researchers with alternative forms of communication that does not involve Open Bug Bounty.
Open Bug Bounty did not respond to requests seeking more comment on the program. But on its website, the operators of the platform said they had no financial or commercial interest in the project. "Moreover we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions," the website noted.
Managed bug bounty programs are by no means new. Organizations like HackerOne and Bugcrowd have over the past few years helped thousands of small, medium, and large organizations run bug bounty programs. Their model of using crowdsourced security researchers to find and report vulnerabilities in customer websites and applications has proven quite popular considering the amount of enterprise and investor interest the organizations have attracted.
Open Bug Bounty's program appears designed to be a free — and somewhat scaled down —version of such bug bounty programs. In other words, organizations do not have to pay anything for having someone else coordinate vulnerability submissions for them.
How well it will work remains an open question. Since the platform launched in June 2014, Open Bug Bounty claims its community of independent security researchers has helped organizations fix over 119,000 flaws.
"It originally helped researchers report vulnerabilities to organizations that may not have formal, public or easy-to-find channels for vulnerability disclosure," says Michiel Prins, co-founder of HackerOne. They basically have been offering limited verification as part of the reporting coordination process, he says.
The free bug bounty program that Open Bug Bounty launched this week is more of a free vulnerability disclosure program unless organizations actually offer bounties, he says.
"[But] opening public programs with or without monetary incentives can have a firehose effect on a security team," he cautions. "Offering monetary incentives to encourage hacker participation can result in an overwhelming number of bug reports if the organization isn’t ready to handle or keep up with inbound reports," Prins says.
Without managed services and triage offerings, it's difficult to control that fire hose and ensure that a program is successful rather than a hindrance, he says.
Even so, Ilia Kolochenko, CEO of High-Tech Bridge, sees the new initiative as being helpful especially for small- and midsized enterprises, and for security researchers as well. "I think everyone would benefit at the end of the day: researchers, website owners, and their clients."
Scalability can become bit of an issue for Open Bug Bounty if hundreds or thousands of websites begin taking up the free bug bounty hunting offer, Kolochenko concedes. "But so far it seems that the Open Bug Bounty project has been continuously growing and apparently [hasn't had] any issues," he says. "I think the community will find its way."