Major updates and new features challenge crowd-sourcing start-ups for vulnerability reporting
VC-backed Bug Bounty startups lose their battle to non-profit Open Bug Bounty project?
Over 17,500 websites, including such industry giants as Microsoft, Amazon, LinkedIn, eBay, Apple and BBC fixed security vulnerabilities on their websites reported by XSSPosed researchers.
Launched in June 2014, XSSPosed is a non-profit website designed for security researchers to report and help patching vulnerable websites. Since July 2015, XSSPosed offers Open Bug Bounty coordinated vulnerability disclosure program for any website and to any security researcher.
One of the top researchers under pseudo ‘ Brute’ (has helped fix over 1,000 vulnerabilities) was recently hired by security company Sucuri. Other security researchers usually get small payments, including t-shirts, cups, discount coupons or anything else website owners want to offer for their efforts.
The Open Bug Bounty project announced major changes and new features over the weekend that are geared to challenge some crowd-sourcing startups, as well as official Bug Bounty programs of large companies that are not meeting researchers’ expectations, including the recent incident around Facebook Bug Bounty.
The most significant change is the ability to privately report a vulnerability via Open Bug Bounty. This will enable security researchers to prove that the security flaw exists without disclosing anything in public, including the fact that a website is vulnerable. This will support researchers as companies running managed or official Bug Bounties will no longer be able to refuse bounty payments anymore by saying that the vulnerabilities don’t exist, meet submissions criteria, or was previously reported.
Moreover, the Open Bounty project has significantly improved its vulnerability notification system to make sure that every website owner will get an instant notification about a problem. Custom notifications about any reported vulnerabilities are available to website owners for free.
XSSPosed says that they accept only XSS and similar types of vulnerabilities, detection of which is non-intrusive and thus harmless for the websites. However, the presence of such a vulnerability can often lead to a total website and its database compromise.
The progress of the Open Bug Bounty project is very impressive, it highlights how many talented security researchers from all over the world wish to contribute their efforts into something useful for the industry, and how much more we need to do in order to improve the global state of web application security.
Many cybersecurity startups backed by VCs’ millions are trying to monetize bug bounties today, however they still have a lot of work to do. Both, Bug Bounty startups and the Open Bounty project cannot compete with professional web security companies, however they can definitely help make the web a safer place.