Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/1/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Open Bug Bounty Offers Free Program For Websites

Non-profit says it will triage and verify certain kinds of Web vulnerability submissions at no cost for those who sign up.

Open Bug Bounty, a not-for-profit organization that since 2014 has been helping security researchers report vulnerabilities to organizations in a coordinated manner, has added a new wrinkle to crowdsourced bug hunting.

Any verified website owner or operator can launch now a formal bug bounty program for their sites at no cost via Open Bug Bounty. The independent security researchers behind the coordinated vulnerability disclosure platform will triage and vet — for free — all vulnerability submissions that do not require intrusive testing. This includes cross site scripting (XSS) flaws, cross site request forgery (CSRF), and access control errors.

When a security researcher reports such a vulnerability to Open Bug Bounty, the researchers there will verify if it is indeed an issue and then notify the relevant website owners about it so disclosure and remediation steps can be taken. Website owners can then decide if they want to award bounties for valid vulnerability submissions and to set the award amounts.

"The world is changing, and we are happy to announce that Open Bug Bounty now allows creating your own bug bounty program for free," the operators of the platform announced recently. "Following our fundamental principles of coordinated disclosure, ethical and non-intrusive testing, we will do triage of XSS, CSRF and some other vulnerabilities at no cost."

The nonprofit currently does not accept any vulnerability submissions that can only be verified through intrusive testing, such as SQL injection flaws. But organizations willing to let security researchers hunt for these types of OWASP Top 10 flaws on their websites can indicate this when subscribing for the bug bounty program. However, they will need to provide security researchers with alternative forms of communication that does not involve Open Bug Bounty.

Open Bug Bounty did not respond to requests seeking more comment on the program. But on its website, the operators of the platform said they had no financial or commercial interest in the project. "Moreover we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions," the website noted.

Managed bug bounty programs are by no means new. Organizations like HackerOne and Bugcrowd have over the past few years helped thousands of small, medium, and large organizations run bug bounty programs. Their model of using crowdsourced security researchers to find and report vulnerabilities in customer websites and applications has proven quite popular considering the amount of enterprise and investor interest the organizations have attracted.

Low-Budget Option

Open Bug Bounty's program appears designed to be a free — and somewhat scaled down —version of such bug bounty programs. In other words, organizations do not have to pay anything for having someone else coordinate vulnerability submissions for them.

How well it will work remains an open question. Since the platform launched in June 2014, Open Bug Bounty claims its community of independent security researchers has helped organizations fix over 119,000 flaws.

"It originally helped researchers report vulnerabilities to organizations that may not have formal, public or easy-to-find channels for vulnerability disclosure," says Michiel Prins, co-founder of HackerOne. They basically have been offering limited verification as part of the reporting coordination process, he says.

The free bug bounty program that Open Bug Bounty launched this week is more of a free vulnerability disclosure program unless organizations actually offer bounties, he says.

"[But] opening public programs with or without monetary incentives can have a firehose effect on a security team," he cautions. "Offering monetary incentives to encourage hacker participation can result in an overwhelming number of bug reports if the organization isn’t ready to handle or keep up with inbound reports," Prins says. 

Without managed services and triage offerings, it's difficult to control that fire hose and ensure that a program is successful rather than a hindrance, he says.

Even so, Ilia Kolochenko, CEO of High-Tech Bridge, sees the new initiative as being helpful especially for small- and midsized enterprises, and for security researchers as well. "I think everyone would benefit at the end of the day: researchers, website owners, and their clients."

Scalability can become bit of an issue for Open Bug Bounty if hundreds or thousands of websites begin taking up the free bug bounty hunting offer, Kolochenko concedes. "But so far it seems that the Open Bug Bounty project has been continuously growing and apparently [hasn't had] any issues," he says. "I think the community will find its way."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
luciferwinget
50%
50%
luciferwinget,
User Rank: Apprentice
6/4/2018 | 5:32:38 AM
support
it is an interesting post. from this post, I gain my knowledge, if you want more then you can go through iTunes support
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...