Open Bug Bounty

Open Bug Bounty is a non-profit bug bounty platform established in 2014. The coordinated vulnerability disclosure platform allows independent security researchers to report XSS and similar security vulnerabilities on any website they discover using non-intrusive security testing techniques.[1] The researchers may choose to make the details of the vulnerabilities public in 90 days since vulnerability submission or to communicate them only to the website operators. The program's expectation is that the operators of the affected website will reward the researchers for making their reports.

Program

[edit]

Unlike commercial bug bounty programs, Open Bug Bounty is a non-profit project and does not require payment by either the researchers or the website operators. Any bounty is a matter of agreement between the researchers and the website operators. Heise.de identified the potential for the website to be a vehicle for blackmailing website operators with the threat of disclosing vulnerabilities if no bounty is paid, but reported that Open Bug Bounty prohibits this.[2]

Open Bug Bounty was launched by private security enthusiasts in 2014, and as of February 2017 had recorded 100,000 vulnerabilities, of which 35,000 had been fixed.[3] It grew out of the website XSSPosed, an archive of cross-site scripting vulnerabilities.[4]

In February 2018, the platform had 100,000 fixed vulnerabilities using coordinated disclosure program based on ISO 29147 guidelines.[5]

Up to the end of 2019, the platform reported 272,020 fixed vulnerabilities using coordinated disclosure program based on ISO 29147 guidelines.[6]

References

[edit]
  1. ^ "Open Bug Bounty: 100,000 fixed vulnerabilities and ISO 29147". Techworm. Retrieved 19 February 2018.
  2. ^ "Open Bug Bounty: Sicherheitslücken gegen Prämie". Heise Security (in German). 12 January 2017. Retrieved 4 January 2018.
  3. ^ "Open Bug Bounty – the alternative crowd security platform for security researchers". TechWorm. 14 February 2017. Retrieved 21 December 2017.
  4. ^ "XSSPosed launches Open Bug Bounty programme for web flaws". SC Media UK. 6 July 2015. Retrieved 21 December 2017.
  5. ^ "Not-for-profit Open Bug Bounty announces 100K fixed vulnerabilities". SC Media. Retrieved 23 February 2018.
  6. ^ "Brief Recap of Open Bug Bounty's Record Growth in 2019". openbugbounty.org. 16 January 2020. Retrieved 27 July 2019.
[edit]