Vulnerability disclosure platform driven by ‘transparency and fairness’, with over 500,000 bugs fixed since 2014
Open Bug Bounty has around 1,300 active bug bounty programs and 22,000 registered security researchers, and is approaching one million coordinated disclosures, resulting in around half a million vulnerability patches.
The project, which was founded in 2014, is nevertheless dwarfed in scale by the commercial bug bounty market’s big beasts.
However, the security researchers and other “cybersecurity veterans” who maintain the platform insist that the likes of HackerOne and Bugcrowd – founded earlier in 2012 and 2011, respectively – are not direct competitors.
“Many commercial bug bounty platforms are now shifting to penetration testing and other traditional MSSP services, diverging from traditional bug bounties,” Open Bug Bounty’s 10 maintainers told The Daily Swig in collectively-written comments.
Indeed, the growing popularity of ‘pen test-as-a-service’ has also given rise to red team-inspired crowdsourced security platforms like Cobalt and Synack.
By contrast, “Open Bug Bounty is a pure crowd-security testing and vulnerability disclosure platform where everyone can participate without restrictions while following the rules and code of conduct.”
‘Not motivated by profits’
Moreover, the service is free to use for website owners as well as researchers – leaving the maintainers to cover hosting and web development costs themselves.
“We are not motivated by profits and [are] happy to spend our evenings to maintain the platform,” they say.
So, what motivates them to invest both time and money into the project?
“We are close to reaching one million fixed vulnerabilities,” they explain. “We are excited to see how security researchers and website owners leverage the platform to make the web a safer place.
“The Open Bug Bounty team is mostly composed of cybersecurity veterans [and] our underlying goal is to bring transparency, efficiency and fairness to the industry.”
Open Bug Bounty is run by a small team of maintainers
‘Comprehensive’, free service
Naturally, there’s a gulf in financial resources between Open Bug Bounty and HackerOne and Bugcrowd, whose growth has been propelled by tens of millions of dollars of venture capital investment.
“We cannot provide the same elegance of UI/UX or 24/7 support” offered by “the commercial players,” they concede.
But they still provide an “comprehensive” service “at no cost” to program owners by marshalling their comparatively modest resources wisely.
They “provide a coordinated and responsible vulnerability disclosure to any website owner” in line with the ISO 29147 standard, but “do not offer any intermediation with the researchers – who always communicate directly with the program owners”.
Submissions are limited to common web application vulnerabilities “that are detectable with non-intrusive manual testing”, they add.
“For XSS and similar vulnerabilities, we offer free triage and submission verification to bug bounty owners. We do not accept, however, SQL injections and RCEs directly on the platform but provide a central place to coordinate how such findings are to be reported – if authorized by the bug bounty scope."
Eclectic client base
What kind of organizations does the Open Bug Bounty model appeal to? A pretty wide range, according to the platform’s overseers.
“We have IT and e-commerce companies, marketplaces, universities, and even some governmental entities hosting their bug bounties at Open Bug Bounty,” say the maintainers.
“We regularly receive incoming enquiries from banks and other companies with strict compliance and confidentiality requirements.
Some companies host their program on both Open Bug Bounty and a major commercial platform, they add.
Without mediation on offer, however, many companies with large budgets “will probably go to commercial platforms to outsource the entire process of vulnerability disclosure and mediation with researchers”.
Along with the enforcement of “transparent rules”, the absence of mediation has limited their experience of disputes to “isolated cases”. These issues, mostly stemming from innocent misunderstandings, are mostly “rapidly resolved”.
There are infrequent complaints about strictly prohibited instances of automated testing of websites, add the maintainers, and these can lead to swift account suspensions.
Nearly one million security vulnerabilities have been disclosed through Open Bug Bounty since 2014
Bounties and honor badges
Researchers on the Open Bug Bounty platform earn honor badges to reflect the quality and quantity of their valid submissions, with the emphasis heavier on the former.
More tangible rewards can include financial bounties, with some cryptocurrency projects paying five-figure sums, and smart watches, gift cards and other non-financial gifts. Website owners are encouraged to at least express gratitude or write a recommendation on researchers’ profiles for successful submissions.
“In our experience, website owners highly appreciate the researchers who come to [their] help and are not solely motivated by a financial reward, and [sometimes] pay small extra bonuses for the most helpful submissions,” say the maintainers.
Expanding reporting capabilities
The maintainers recently upgraded the email system for notifying organizations of vulnerability submissions, and are “continuously improving” reporting requirements to ensure that submissions from researchers are “sufficiently detailed, clear and actionable.”
Reporting capabilities are being expanded to “cover a broader scope of security vulnerabilities” too.
The maintainers say they are also open to improvement suggestions from the community and partnerships that can “offer better DevSecOps integrations, assisted remediation and other value-added features”.
But with commercial bug bounty vendors increasingly “moving to penetration testing services to increase profits under pressure [from] investors”, Open Bug Bounty will continue to evolve in line with its founding mission: “offering an open, transparent, and fair platform that anyone can join regardless of his or her nationality or number of security certificates”.