The once skyrocketing bug bounty industry seems to be not in the best shape today. While prominent security researchers are talking about a growing multitude of hurdles they experience with the leading commercial bug bounty platforms, the latter are trying to reinvent themselves as "next-generation penetration testing" or similar services. You be the judge of how successful they will be.
Generous venture funds have poured many millions into rapidly spending bug bounty startups that have not replaced Managed Penetration Testing (MPT) services (as some declared). However, these startups have positively improved the price/quality ratio of pen testing services on the global market.
Amid the uncertainty for the future of commercial bug bounty platforms, the not-for-profit Open Bug Bounty project has demonstrated quite impressive growth and traction in its annual report from 2019:
Just in 2019 the non-commercial, ISO 29147 based, bug bounty platform reported the following:
- 203,449 security vulnerabilities were reported in total (500 per day), which is a 32% year-to-year growth
- 101,931 vulnerabilities were fixed by website owners, showing a 30% growth compared to the previous year
- 5,832 new security researchers joined the community, taking the total number of researchers and security experts to 13,532
- 383 new bug bounty programs were created by website owners, now offering 657 programs in total with over 1,342 websites to test
Today, Open Bug Bounty already hosts 680 bug bounties, offering monetary or non-monetary remuneration for security researchers from over 50 countries. Global companies such as Telekom Austria, Acronis, or United Domains run their bug bounties at Open Bug Bounty.
Among happy website owners, who thanked the researchers for coordinated and responsible disclosure via the platform, one can find Dell, IKEA, Twitter, Verizon, Philips, several governmental institutions and international organizations, some law schools and law firms, and even the American Bar Association (ABA) – not to be confused with beer-drinking though.
Initially, Open Bug Bounty accepted submissions of XSS, CSRF, Improper Access Control, and other security issues on any website condition to strictly non-intrusive testing, coordinated disclosure and respect of their code of conduct:
In 2019, the situation evolved by enabling anyone to launch a bug bounty for his or her website without any fees or commissions, accessible to all 13,000 researchers:
Open Bug Bounty later announced the enhancement of the existing DevSecOps integrations with new tools and instruments, supplementing the already available SDLC integrations with Jira and Splunk.
Interestingly, the 2019 report also mentions growing interest from cybersecurity companies in partnering with or even acquiring the project, however, it clearly states that the platform will always maintain its openness and integrity.
We managed to get an exclusive interview with the Open Bug Bounty team about the future of the project:
How do you see 2020 for the Open Bug Bounty?
We will pursue our relentless expansion by adding new features, options, and integrations. We carefully listen to our community and try to implement all improvements beneficial for website owners and security researchers. Agility, simplicity, and reliability are all key priorities for us when building new features.
Do you plan to partner with a commercial bug bounty projects or a cybersecurity company?
We are open to proposals that will help us improve the project, maintaining an open and cozy place for website owners, and security researchers, that is governed by respect and fairness.
Are you looking for venture funding or donations?
We are a small group of cybersecurity enthusiasts, spending our spare time on the project between family life and work. For the moment, we feel pretty comfortable with the workload and even managed to refresh the design making it brighter and cheerful. We purposely don't accept donations and do not display commercial ads, given that our community is foremost driven by a dream to secure the Web.
How visible is your impact on the cybersecurity industry?
Our researchers and website owners are probably the best people to answer this question. From our side, we see an increasing number of cybersecurity students who start their practice with Open Bug Bounty, software developers helping their peers to maintain better security and professional bug hunters seeking a more transparent alternative to commercial bug bounty platforms. We drive attention to application security, promote the OWASP project, and try to raise global web security awareness amid website owners and software developers.
Do you perceive commercial bug bounty platforms as your competitors?
No, we rather complement each other in one way or another. It's like open source software and commercial software. Their philosophy is fairly different, but they coexist in harmony and add value to each other. The more offerings that exist on the market, the better off consumers and other actors will be.
How can one get in touch with you?
There is a secure web form on our website. Drop us your contact details there, and we will get back to you.
On behalf of The Hacker News, we sincerely wish the Open Bug Bounty team a well-deserved success in what they do to improve global web security.