This project named as Open Bug Bounty project was started in June 2014, by a group of independent security researchers. Open Bug Bounty is a non-profitable platform aimed to connect website owners and security researchers in a respectful, transparent, and mutually valuable manner. The ultimate purpose was to make the Web a safer place for all humans benefit, and they are still dedicated to working in this direction. There is no commercial and financial interest in the project. Moreover, organization pay web development cost and hosting expenses costs from their pocket, and spend valuable time to verify every new submission. This project is on a high rise now. ISO 29147, Responsible and coordinated Disclosure Open Bug Bounty is coordinating with the vulnerability disclosure platform.
This platform allows, reporting a vulnerability on any website by any security researcher, as long as vulnerability is submitted following all responsible disclosures guidelines and is discovered without any intrusive testing techniques. The purpose of Open Bug Bounty is concentrated up to independent verification of various submitted vulnerabilities and proper notification of website owners by all available and possible means. Once notified to bug bounty, the website researcher and the owner, both are in direct contact to remediate the vulnerability and coordinate its disclosure. At this and at any future stages, they never and never act as an intermediary between a security researcher and website owners. This platform is bound to follow all Security techniques, information technology, and vulnerability disclosure guidelines of coordinated and ethical disclosure. Going in detail, bug bounty figures out the risk generated from vulnerabilities. Also, they supply sufficient information to evaluate risks from vulnerabilities to their systems. This project to set expectations to promote positive coordination and communication among all involved parties.
In the vulnerability disclosure process suggested by ISO 29147, being a global vulnerability disclosure Coordinator, Open Bug Bounty also includes the following non-profit roles:-
Firstly, it acts as a trusted liaison between (researchers and website owners) the involved parties. Proper and transparent communication is set up between website owners and researchers. It also provides a clear forum where experts from different organizations can collaborate. Safe and Non-Intrusive Testing Bug bounty only accepts CSS (Cross-Site Scripting), CSRF and some other vulnerabilities that particularly figure among the most common web application vulnerabilities today. The actual process of testing for such vulnerabilities is harmless. It directly or indirectly cannot affect/damage a database, server, website or related infrastructure.
It completely restricts the vulnerabilities which aim to harm any website, it’s data and related infrastructure. A global bug bounty is writing its own tremendous story. It has recently launched a global bug bounty platform out of imagination with 13,000 researchers, and almost 500,000 submissions without asking for a cent from high venture capitalists. This skyrocketing bug bounty industry seems to be not in the best possible shape today. The future of commercial bug bounty platforms, was trapped in uncertain clouds, but not for profit bounty project has shown quite an impressive traction and growth in its annual report of the year 2019. Vulnerabilities reports showed a 32% year to year growth, 203,449 Security vulnerabilities are reported in total mentioning 500 per day in just 2019. As compared to the previous year, 101,931 vulnerabilities were sharply fixed by website owners, showing a clear 30% growth. The total number of Security experts and researchers have reached to 13,532, showing 5,832 new security researchers joining. A total of 1,342 websites are there to test, offering 657 programs. Website owners created 383 new bug bounty programs. From over 50 countries, open bug bounty hosts 680 bug bounties, offering non- monetary and monetary remuneration for Security researchers. Austria, Acronis, and United Domains, such global companies run their bug bounties at open bug bounty. The situation changed in 2019 when a forum was released mentioning anyone can launch a bug bounty for his/her website without any commissions or fees. Later, there was the enhancement of the existing DevSecOps integrations with new instruments and tools, pushing the already available SDLC integrations with Splunk and Jira. 2019 shown with the growing interest from cybersecurity companies in acquiring the project and partnering too. It cleared that the platform will always maintain its transparency and integrity.
How will the Open Bug Bounty grow in 2020?
Open bug bounty will rule the market with restless expansion allowing more options, integrations and new features. All improvements beneficial will be regulated for security researchers and website owners. Simplicity, reliability, and agility are all key taglines for open bug bounty when building new features.