Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

05:45 PM
Connect Directly

Online Tools For Bug Disclosure Abound

What's driving the bounty of software vulnerability disclosure offerings today from Bugcrowd, HackerOne, and Synack.

PayPal was one of the pioneers of internal bug bounty programs. But like other companies that have led the curve with in-house programs that pay researchers a fee for finding valid vulnerabilities in their software, the digital payment firm found that running such a program is no easy feat.

"It's very difficult to have enough resources internally to manage the program and match wits with researchers out in the world," says Gus Anagnos, who developed and ran PayPal's two-year-old internal bug program.

Fielding bug submissions as they come in and budgeting for the payments to researchers is challenging. "It's also very difficult to manage researchers and the expectations they have in payment and time to fix," says Anagnos, who left PayPal this year to become vice president of strategy and operations at Synack, a startup offering a vulnerability disclosure program and other security services.

"The reason I joined Synack is that I noticed, even though there's a tremendous amount of value in having bug bounty programs, it's still very difficult to run them internally," he says. "I left PayPal to come to Synack to take a great bug bounty model and create a new model more than the traditional bug bounty program, and to address items that in-house programs have a hard time" addressing.

Synack, like newcomers Bugcrowd and HackerOne, offers companies an online platform for coordinating vulnerability disclosure, a process that traditionally has been conducted via email correspondence. The company hires out a small group of hand-picked outside researchers who provide its vulnerability discovery service.

Anagnos says Synack technically is not a "middleman" nor a bug bounty service. "We provide a technology platform that automates the process" that vetted and trusted security professionals use to find vulnerabilities that only humans can find, he says.

Its outside research team spans 21 countries and consists of members whose day jobs are in academia, government, Google, Facebook, and PayPal.

The social media firm Tagged.com initially launched its own bug bounty program in-house, but it soon began to overwhelm the company's IT staff. "We started receiving bug bounty submissions, and our help desk spent the majority of time validating bugs, which in essence wasn't scalable," says Boris Sverdlik, who worked on the program. Sverdlik is now head of infrastructure security for the digital branding software firm TubeMogul.

"Some researchers were trying to get paid on every hit on our [Tagged.com] API," he recalls. So Tagged solicited Bugcrowd's online bug bounty services to get a grip on the disclosures it was fielding. "Bugcrowd maintains a 'do not test list'… We worked with them to go through the list and block what we don't want to see, and that increased the efficiency of my group. And we were able to offload the validation and auditing."

Vulnerability disclosure has gone through a major transformation over the past five years. For a long time, researchers got either a shout-out or shouted at for their discoveries -- if a vendor even responded at all. Many were threatened with legal action.

The game changer that made bug bounties more of a mainstream phenomenon came last year, when Microsoft, one of the biggest bug bounty holdouts among software vendors, finally threw its hat in the ring with a bugs for bucks program of its own. Katie Moussouris, then senior security strategist at Microsoft, spearheaded the move, joining Facebook, Google, Mozilla, and PayPal, which preceded Microsoft with programs of their own.

Moussouris left Microsoft in May of this year for HackerOne, a startup that spun off a bug bounty project initially funded in part by Microsoft and Facebook. She's now chief policy officer and works alongside former Facebook director of security Alex Rice, who is now CTO of HackerOne. The startup's free online platform automates the vulnerability disclosure process between the researchers who find the bugs and the affected software vendors and websites. HackerOne charges a 20% service charge when a bounty payment is transacted.

"I'm thrilled there is an industry now" for vulnerability disclosure, Moussouris says. "Where the bad guy would find a vulnerability before an organization fixed it, you can now tap into a worldwide pool of security researchers. It's been a very powerful thing."

Microsoft and other firms have data showing "a tapering off" of software flaws after the initial spike when the programs begin, she says. "We've seen this with a number of our customers" at HackerOne.

The biggest misconception is that a vulnerability disclosure program should automatically include a bounty program from the get-go. However, "starting with a bounty" as part of the program "is not the best idea for everyone," she says. "Starting a bounty from the onset may seem like a cool and trendy idea, but if you're not solid in what you're going to do with that process, you're going to have a bad experience."

Firms with a limited software portfolio find it's more straightforward to have the bounty rolled in right away, according to Moussouris, but that's not the case for firms with larger software sets.

For researchers, the new model of online community and for-hire vulnerability disclosure is much less painful -- and often much more lucrative than in the old days. It wasn't long ago that a security researcher could get sued for reporting a vulnerability to a vendor or online business. "It used to be really scary," says one of Bugcrowd's most prolific bug-finders, a researcher who hunts for bugs after his day job at a software firm and asked his name not be published. "Now we won't get sued."

Bugcrowd is a crowdsourced site that also helps organizations set up bug bounty programs online. It offers a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.

Casey Ellis, co-founder and CEO of Bugcrowd, says the firm charges a fee for any bug bounty payment transactions. "They can use the platform itself and the triage team we have in-house" for free.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Robert McDougal
Robert McDougal,
User Rank: Ninja
8/27/2014 | 3:13:16 PM
Great step!
This is great news to hear!  In the past, I can remember thinking to myself, should I tell Microsoft about this bug or just keep it to myself.  The fear of being sued was, and in some cases still, very real.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
8/27/2014 | 3:33:39 PM
Re: Great step!
A big takeaway here is there are now (free) tools for organizations that want to set up a professional and organized process for fielding security vulnerability reports, as well as a potential avenue for setting up a bug bounty program (for a fee). As for researchers, it's a safe way to report & potentially sell their findings. 
User Rank: Strategist
8/29/2014 | 10:19:20 AM
Re: Great step!
Great story, Kelly! I wonder, though, if the proliferation of bug bounties is eroding the notion of "responsible disclosure" and the revelation of vulnerabilities for the simple reason of protecting users. Do you (and others here) think that tomorrow's security researchers will no longer disclose their findings unless they are properly paid?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
8/29/2014 | 10:27:32 AM
Re: Great step!
I think the pressure's on for companies to pony up with bug bounties. I keep flashing back to Dino Dai Zovi/Charlie Miller/Alexander Sotirov's "No More Free Bugs" banner and meme from a few years ago that started this shift. Overall, there are fewer significant vulns to find in major software, so some bugs are definitely more valuable and bounty-worthy than others. Not all companies are ready for this, obviously, but it's definitely a seismic shift with these free vuln disclosure program tools and online tools for bug bounty programs.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by XML External Entity (XXE) injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user (clients and administrators).
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control where password revalidation in sensitive operations can be bypassed remotely by an authenticated attacker through requesting the endpoint directly.
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by incorrect access control that can lead to remote privilege escalation. PAXSTORE marketplace endpoints allow an authenticated user to read and write data not owned by them, including third-party users, application and payment term...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by an information disclosure vulnerability. Through the PUK signature functionality, an administrator will not have access to the current p12 certificate and password. When accessing this functionality, the administrator has the opt...
PUBLISHED: 2021-05-07
Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token spoofing vulnerability. Each payment terminal has a session token (called X-Terminal-Token) to access the marketplace. This allows the store to identify the terminal and make available the applications distributed by its ...