Open BugBounty is a website designed to connect security researchers and website owners. The goal is to make it easy for website owners to get security researchers to validate their website.
If a researcher discovers an issue, they file a report using a responsible disclosure mechanism. This mechanism adheres to the ISO 29147 standard covering the disclosure of vulnerabilities. The affected website is advised of the issue and can then engage with the researcher. This allows the researchers and website to agree a fee for remediation. It also means that while that is happening, the vulnerability is not disclosed to the public.
A statement on the site says: “Open Bug Bounty allows any verified website owners to run a bug bounty for their websites at no cost. The purpose of this non-profit activity is to make relations between website owners and security researchers sustainable and mutually beneficial in a long-term prospective.”
This opening up of the program to make it free for businesses to participate should appeal to SMEs in particular. Unlike large organisations, they often lack the skills and knowledge required to validate and test websites. They are also often the victim of breaches that install malware that served code to their customers.
Who is using Open BugBounty?
The list of organisations who are using Open BugBounty to engage with researchers is growing. While the majority listed on the site have just one or two websites there are some interesting ones such as British Gymnastics and Unisport.
There are also reports from some of the researchers covering even larger companies such as Vonage.com and eBay. Neither of these are listed on the BugBounty program page. If they can be persuaded to put their details on the site, it should boost participation from businesses and researchers
For researchers the rewards, at present are not massive. The community twitter feed shows payments vary widely. Cash payments range from a few US dollars to €500. The latter being described as: “pays for baby diapers for the whole year.” Some customers also pay in Amazon gift cards which is likely to be easier to put through the company accounts.
A closer look at the researchers and a comparison of vulnerabilities that they have helped patch is interesting. It shows just how many businesses are working through the programme and with the researchers. It also demonstrates that this is not a hobby site but a serious job for many of these researchers.
For budding researchers looking to build their reputation Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge says: “This is an amazing development in the bug bounty industry. I think this can help a lot of SMEs and large companies that are unable to detect and remediate the integrity of website vulnerabilities through automated scanners or annual pentesting. Security researchers can also get some valuable practice for the benefit of the cybersecurity industry – something that many graduates are missing today when applying for their first infosecurity job.”
What does this mean
Finding and fixing bugs in websites is not easy. SMEs tend to either build in-house using packaged tools or pay a small developer company. Both can leave them open to unexpected issues in the software that they are using. This is not just about open source software. Vulnerabilities in web code from large vendors are regularly disclosed.
Hackers have well proven test tools that scan for vulnerabilities on the Internet. Once found, they are quick to exploit weaknesses which often means putting malicious code on sites. This is one of the main distribution vectors for cryptomining tools.
Any program that increases the possibility of vulnerabilities being found and patched is to be welcomed. For SMEs the challenge will be adequately recompensing the researchers. As the community page shows, this doesn’t have to be in the hundreds or thousands of dollars or Euros. However, it does need to be a sensible transaction between both parties.
Open BugBounty needs to get some of the very large companies to be more public on the site which will boost its use and improve Internet security.