Member Article

Crowdsourced Open Bug Bounty Community reaches 1,000,000 vulnerabilities fixed milestone

Open Bug Bounty, an open community-driven Bug Bounty platform for vulnerability disclosure has passed the milestone on 27 October of fixing over 1,000,000 web security vulnerabilities.

The Open Bug Bounty project enables website owners to receive advice and support from security researchers around the globe in a transparent, fair and coordinated manner to make web applications better and safer for everyone’s benefit.

Open Bug Bounty hosts Bug Bounty programs for such companies as A1 Telekom Austria and Drupal, with over 20,000 security researchers.

Started by a group of independent security experts in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Its purpose is to make the Web a safer place for everyone’s benefit.

A spokesperson from Open Bug Bounty commented: “The Open Bug Bounty project is an interesting phenomenon that demonstrates that global crowd security testing become a mature industry that can be a valuable enhancement for the corporate application security program. Traditional penetration testing and vulnerability scanning are merely the baseline of application security. Therefore, when security researchers with different backgrounds and experience complement your application security testing, this may bring additional findings that require unusual creativity and a lot of time to be discovered.

“Organizations should, however, be prudent when setting up a bug bounty program and ensure that external testing does not violate data protection legislation. For example, if you authorize external security researchers to test your production system, the former may access sensitive personal data or financial information. How, when and if this data will be eventually removed from researchers’ systems often remains unclear, let alone a situation when a researcher’s device is compromised by cybercriminals and the information is stolen by the bad guys.

“The project does not perceive itself to be a competitor of leading commercial bug bounty platforms. For example, we do not provide manual triage for RCE or SQL injection vulnerabilities, due to the high sensitivity and confidentiality of such submissions. For submissions like XSS or CSRF, we are, however, a perfect place that can significantly reduce costs by offering a turn-key managed solution for free. Furthermore, many young talents work on several platforms at once, including highly vetted Synack, and our website owners have access to the best talent, wherever they are based.”

This was posted in Bdaily's Members' News section by Open Bug Bounty .