Open Bug Bounty has fixed 1 million vulnerabilities

Monday, November 7, 2022

Bug bounties have proliferated over the last few years and Open Bug Bounty offers crowdsourced security testing as a complementary service to commercial offers.

Open Bug Bounty is an open, disintermediated, cost-free, and community-driven Bug Bounty platform for coordinated, responsible, and ISO 29147 compatible vulnerability disclosure. It passed the milestone on 27 October of fixing over 1,000,000 web security vulnerabilities.

The Open Bug Bounty project enables website owners to receive advice and support from security researchers around the globe in a transparent, fair, and coordinated manner to make web applications better and safer for everyone’s benefit.

Open Bug Bounty hosts Bug Bounty programs for such companies as A1 Telekom Austria and Drupal, with over 20,000 security researchers.

Started by a group of independent security experts in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful, and mutually valuable manner. Its purpose is to make the Web a safer place for everyone’s benefit.

A spokesperson from Open Bug Bounty commented:

"The Open Bug Bounty project is an interesting phenomenon that demonstrates that global crowd security testing become a mature industry that can be a valuable enhancement for the corporate application security program. Traditional penetration testing and vulnerability scanning are merely the baselines of application security. Therefore, when security researchers with different backgrounds and experiences complement your application security testing, this may bring additional findings that require unusual creativity and a lot of time to be discovered."

"Organizations should, however, be prudent when setting up a bug bounty program and ensure that external testing does not violate data protection legislation. For example, if you authorize external security researchers to test your production system, the former may access sensitive personal data or financial information. How, when and if this data will be eventually removed from researchers’ systems often remains unclear, let alone a situation when a researcher’s device is compromised by cybercriminals and the information is stolen by the bad guys."

"The project does not perceive itself to be a competitor of leading commercial bug bounty platforms. For example, we do not provide manual triage for RCE or SQL injection vulnerabilities, due to the high sensitivity and confidentiality of such submissions. For submissions like XSS or CSRF, we are, however, a perfect place that can significantly reduce costs by offering a turn-key managed solution for free. Furthermore, many young talents work on several platforms at once, including highly vetted Synack, and our website owners have access to the best talent, wherever they are based."