Open Bug Bounty

Last updated

Open Bug Bounty is a non-profit bug bounty platform established in 2014. The coordinated vulnerability disclosure platform allows independent security researchers to report XSS and similar security vulnerabilities on any website they discover using non-intrusive security testing techniques. [1] The researchers may choose to make the details of the vulnerabilities public in 90 days since vulnerability submission or to communicate them only to the website operators. The program's expectation is that the operators of the affected website will reward the researchers for making their reports.

Contents

Program

Unlike commercial bug bounty programs, Open Bug Bounty is a non-profit project and does not require payment by either the researchers or the website operators. Any bounty is a matter of agreement between the researchers and the website operators. Heise.de identified the potential for the website to be a vehicle for blackmailing website operators with the threat of disclosing vulnerabilities if no bounty is paid, but reported that Open Bug Bounty prohibits this. [2]

Open Bug Bounty was launched by private security enthusiasts in 2014, and as of February 2017 had recorded 100,000 vulnerabilities, of which 35,000 had been fixed. [3] It grew out of the website XSSPosed, an archive of cross-site scripting vulnerabilities. [4]

In February 2018, the platform had 100,000 fixed vulnerabilities using coordinated disclosure program based on ISO 29147 guidelines. [5]

Up to the end of 2019, the platform reported 272,020 fixed vulnerabilities using coordinated disclosure program based on ISO 29147 guidelines. [6]

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

<span class="mw-page-title-main">Vulnerability (computing)</span> Exploitable weakness in a computer system

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

<span class="mw-page-title-main">Chris Wysopal</span> American computer security expert

Chris Wysopal is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

<span class="mw-page-title-main">Application security</span> Measures taken to improve the security of an application

Application security includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications. It encompasses the whole application life cycle from requirements analysis, design, implementation, verification as well as maintenance.

<span class="mw-page-title-main">CERT Coordination Center</span>

The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/CC researches software bugs that impact software and internet security, publishes research and information on its findings, and works with businesses and the government to improve the security of software and the internet as a whole.

In computer security, coordinated vulnerability disclosure, or "CVD" is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day is called a zero-day exploit, or zero-day attack.

Malwarebytes is an anti-malware software for Microsoft Windows, macOS, ChromeOS, Android, and iOS that finds and removes malware. Made by Malwarebytes Corporation, it was first released in January 2006. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash-memory scanner.

<span class="mw-page-title-main">ImmuniWeb</span>

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops Machine Learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

A bug bounty program is a deal offered by many websites, organizations and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

HackerOne is a company specializing in cybersecurity, specifically attack resistance management, which blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the digital attack surface. It was one of the first companies to embrace and utilize crowd-sourced security and cybersecurity researchers as linchpins of its business model; pioneering bug bounty and coordinated vulnerability disclosure. As of December 2022, HackerOne’s network had paid over $230 million in bounties. HackerOne’s customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo.

<span class="mw-page-title-main">Heartbleed</span> Security bug in OpenSSL

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation in the implementation of the TLS heartbeat extension. Thus, the bug's name derived from heartbeat. The vulnerability was classified as a buffer over-read, a situation where more data can be read than should be allowed.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

<span class="mw-page-title-main">Katie Moussouris</span> American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

MLT, real name Matthew Telfer, is a cybersecurity researcher, former grey hat computer hacker and former member of TeaMp0isoN. MLT was arrested in May 2012 in relation to his activities within TeaMp0isoN, a computer-hacking group which claimed responsibility for many high-profile attacks, including website vandalism of the United Nations, Facebook, NATO, BlackBerry, T-Mobile USA and several other large sites in addition to high-profile denial-of-service attacks and leaks of confidential data. After his arrest, he reformed his actions and shifted his focus to activities as a white hat cybersecurity specialist. He was the founder of now-defunct Project Insecurity LTD.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre refers to one of the two original transient execution CPU vulnerabilities, which involve microarchitectural timing side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker

Rafay Baloch , is a Pakistani ethical hacker and security researcher known for his discovery of vulnerabilities on the Android operating system. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

Bugcrowd is a crowdsourced security platform. It was founded in 2011 and in 2019 it was one of the largest bug bounty and vulnerability disclosure companies on the internet. In March 2018 it secured $26 million in a Series C funding round led by Triangle Peak Partners. Bugcrowd announced Series D funding in April 2020 of $30 million led by previous investor Rally Ventures.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

References

  1. "Open Bug Bounty: 100,000 fixed vulnerabilities and ISO 29147". Techworm. Retrieved 19 February 2018.
  2. "Open Bug Bounty: Sicherheitslücken gegen Prämie". Heise Security (in German). 12 January 2017. Retrieved 4 January 2018.
  3. "Open Bug Bounty – the alternative crowd security platform for security researchers". TechWorm. 14 February 2017. Retrieved 21 December 2017.
  4. "XSSPosed launches Open Bug Bounty programme for web flaws". SC Media UK. 6 July 2015. Retrieved 21 December 2017.
  5. "Not-for-profit Open Bug Bounty announces 100K fixed vulnerabilities". SC Media. Retrieved 23 February 2018.
  6. "Brief Recap of Open Bug Bounty's Record Growth in 2019". openbugbounty.org. 16 January 2020. Retrieved 27 July 2019.