Application Security

6/1/2018
09:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Open Bug Bounty Offers Free Program For Websites

Non-profit says it will triage and verify certain kinds of Web vulnerability submissions at no cost for those who sign up.

Open Bug Bounty, a not-for-profit organization that since 2014 has been helping security researchers report vulnerabilities to organizations in a coordinated manner, has added a new wrinkle to crowdsourced bug hunting.

Any verified website owner or operator can launch now a formal bug bounty program for their sites at no cost via Open Bug Bounty. The independent security researchers behind the coordinated vulnerability disclosure platform will triage and vet — for free — all vulnerability submissions that do not require intrusive testing. This includes cross site scripting (XSS) flaws, cross site request forgery (CSRF), and access control errors.

When a security researcher reports such a vulnerability to Open Bug Bounty, the researchers there will verify if it is indeed an issue and then notify the relevant website owners about it so disclosure and remediation steps can be taken. Website owners can then decide if they want to award bounties for valid vulnerability submissions and to set the award amounts.

"The world is changing, and we are happy to announce that Open Bug Bounty now allows creating your own bug bounty program for free," the operators of the platform announced recently. "Following our fundamental principles of coordinated disclosure, ethical and non-intrusive testing, we will do triage of XSS, CSRF and some other vulnerabilities at no cost."

The nonprofit currently does not accept any vulnerability submissions that can only be verified through intrusive testing, such as SQL injection flaws. But organizations willing to let security researchers hunt for these types of OWASP Top 10 flaws on their websites can indicate this when subscribing for the bug bounty program. However, they will need to provide security researchers with alternative forms of communication that does not involve Open Bug Bounty.

Open Bug Bounty did not respond to requests seeking more comment on the program. But on its website, the operators of the platform said they had no financial or commercial interest in the project. "Moreover we pay hosting expenses and web development costs from our pocket, and spend our nights verifying new submissions," the website noted.

Managed bug bounty programs are by no means new. Organizations like HackerOne and Bugcrowd have over the past few years helped thousands of small, medium, and large organizations run bug bounty programs. Their model of using crowdsourced security researchers to find and report vulnerabilities in customer websites and applications has proven quite popular considering the amount of enterprise and investor interest the organizations have attracted.

Low-Budget Option

Open Bug Bounty's program appears designed to be a free — and somewhat scaled down —version of such bug bounty programs. In other words, organizations do not have to pay anything for having someone else coordinate vulnerability submissions for them.

How well it will work remains an open question. Since the platform launched in June 2014, Open Bug Bounty claims its community of independent security researchers has helped organizations fix over 119,000 flaws.

"It originally helped researchers report vulnerabilities to organizations that may not have formal, public or easy-to-find channels for vulnerability disclosure," says Michiel Prins, co-founder of HackerOne. They basically have been offering limited verification as part of the reporting coordination process, he says.

The free bug bounty program that Open Bug Bounty launched this week is more of a free vulnerability disclosure program unless organizations actually offer bounties, he says.

"[But] opening public programs with or without monetary incentives can have a firehose effect on a security team," he cautions. "Offering monetary incentives to encourage hacker participation can result in an overwhelming number of bug reports if the organization isn’t ready to handle or keep up with inbound reports," Prins says. 

Without managed services and triage offerings, it's difficult to control that fire hose and ensure that a program is successful rather than a hindrance, he says.

Even so, Ilia Kolochenko, CEO of High-Tech Bridge, sees the new initiative as being helpful especially for small- and midsized enterprises, and for security researchers as well. "I think everyone would benefit at the end of the day: researchers, website owners, and their clients."

Scalability can become bit of an issue for Open Bug Bounty if hundreds or thousands of websites begin taking up the free bug bounty hunting offer, Kolochenko concedes. "But so far it seems that the Open Bug Bounty project has been continuously growing and apparently [hasn't had] any issues," he says. "I think the community will find its way."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
luciferwinget
50%
50%
luciferwinget,
User Rank: Apprentice
6/4/2018 | 5:32:38 AM
support
it is an interesting post. from this post, I gain my knowledge, if you want more then you can go through iTunes support
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVE-2018-17980
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
CVE-2018-18259
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
CVE-2018-18260
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
CVE-2018-17532
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.