‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

3 years ago 1921

Vulnerability disclosure platform driven by ‘transparency and fairness’, with over 500,000 bugs fixed since 2014

Open Bug Bounty maintainers on finding a niche in the crowdsourced application security market

Open Bug Bounty has around 1,300 active bug bounty programs and 22,000 registered security researchers, and is approaching one million coordinated disclosures, resulting in around half a million vulnerability patches.

The project, which was founded in 2014, is nevertheless dwarfed in scale by the commercial bug bounty market’s big beasts.

However, the security researchers and other “cybersecurity veterans” who maintain the platform insist that the likes of HackerOne and Bugcrowd – founded earlier in 2012 and 2011, respectively – are not direct competitors.

RECOMMENDED ‘Train the basics’ – Bug bounty hunter ‘Xel’ on forging a lucrative career in ethical hacking

“Many commercial bug bounty platforms are now shifting to penetration testing and other traditional MSSP services, diverging from traditional bug bounties,” Open Bug Bounty’s 10 maintainers told The Daily Swig in collectively-written comments.

Indeed, the growing popularity of ‘pen test-as-a-service’ has also given rise to red team-inspired crowdsourced security platforms like Cobalt and Synack.

By contrast, “Open Bug Bounty is a pure crowd-security testing and vulnerability disclosure platform where everyone can participate without restrictions while following the rules and code of conduct.”

‘Not motivated by profits’

Another key distinction between Open Bug Bounty and rival platforms, which also include Intigriti, YesWeHack, HackenProof, and more, is the former’s status as a non-profit.

Moreover, the service is free to use for website owners as well as researchers – leaving the maintainers to cover hosting and web development costs themselves.

“We are not motivated by profits and [are] happy to spend our evenings to maintain the platform,” they say.

So, what motivates them to invest both time and money into the project?

“We are close to reaching one million fixed vulnerabilities,” they explain. “We are excited to see how security researchers and website owners leverage the platform to make the web a safer place.

“The Open Bug Bounty team is mostly composed of cybersecurity veterans [and] our underlying goal is to bring transparency, efficiency and fairness to the industry.”

Open Bug Bounty is a bug bounty and crowdsourced security platformOpen Bug Bounty is run by a small team of maintainers

‘Comprehensive’, free service

Naturally, there’s a gulf in financial resources between Open Bug Bounty and HackerOne and Bugcrowd, whose growth has been propelled by tens of millions of dollars of venture capital investment.

“We cannot provide the same elegance of UI/UX or 24/7 support” offered by “the commercial players,” they concede.

But they still provide an “comprehensive” service “at no cost” to program owners by marshalling their comparatively modest resources wisely.

Catch up on the latest bug bounty news

They “provide a coordinated and responsible vulnerability disclosure to any website owner” in line with the ISO 29147 standard, but “do not offer any intermediation with the researchers – who always communicate directly with the program owners”.

Submissions are limited to common web application vulnerabilities “that are detectable with non-intrusive manual testing”, they add.

“For XSS and similar vulnerabilities, we offer free triage and submission verification to bug bounty owners. We do not accept, however, SQL injections and RCEs directly on the platform but provide a central place to coordinate how such findings are to be reported – if authorized by the bug bounty scope."  

Eclectic client base

What kind of organizations does the Open Bug Bounty model appeal to? A pretty wide range, according to the platform’s overseers.

“We have IT and e-commerce companies, marketplaces, universities, and even some governmental entities hosting their bug bounties at Open Bug Bounty,” say the maintainers.

“We regularly receive incoming enquiries from banks and other companies with strict compliance and confidentiality requirements.

Some companies host their program on both Open Bug Bounty and a major commercial platform, they add.

Without mediation on offer, however, many companies with large budgets “will probably go to commercial platforms to outsource the entire process of vulnerability disclosure and mediation with researchers”.

Along with the enforcement of “transparent rules”, the absence of mediation has limited their experience of disputes to “isolated cases”. These issues, mostly stemming from innocent misunderstandings, are mostly “rapidly resolved”.

There are infrequent complaints about strictly prohibited instances of automated testing of websites, add the maintainers, and these can lead to swift account suspensions.

Open Bug Bounty is a non-profit bug bounty platformNearly one million security vulnerabilities have been disclosed through Open Bug Bounty since 2014

Bounties and honor badges

Researchers on the Open Bug Bounty platform earn honor badges to reflect the quality and quantity of their valid submissions, with the emphasis heavier on the former.

More tangible rewards can include financial bounties, with some cryptocurrency projects paying five-figure sums, and smart watches, gift cards and other non-financial gifts. Website owners are encouraged to at least express gratitude or write a recommendation on researchers’ profiles for successful submissions.

“In our experience, website owners highly appreciate the researchers who come to [their] help and are not solely motivated by a financial reward, and [sometimes] pay small extra bonuses for the most helpful submissions,” say the maintainers.

Expanding reporting capabilities

The maintainers recently upgraded the email system for notifying organizations of vulnerability submissions, and are “continuously improving” reporting requirements to ensure that submissions from researchers are “sufficiently detailed, clear and actionable.”

Reporting capabilities are being expanded to “cover a broader scope of security vulnerabilities” too.

The maintainers say they are also open to improvement suggestions from the community and partnerships that can “offer better DevSecOps integrations, assisted remediation and other value-added features”.

But with commercial bug bounty vendors increasingly “moving to penetration testing services to increase profits under pressure [from] investors”, Open Bug Bounty will continue to evolve in line with its founding mission: “offering an open, transparent, and fair platform that anyone can join regardless of his or her nationality or number of security certificates”.

YOU MIGHT ALSO LIKE Covid-19 pandemic: How bug bounty programs helped secure some of the world’s leading track and trace apps

Read Entire Article