Open Bug Bounty – the alternative crowd security platform for security researchers
HackerOne has recently announced a $40 million investment, bringing the total amount of cash invested into the prominent startup to $74 million. The company, however, does not disclose the valuation or profitability. In light of similar VC deals, involving other crowd security companies such as BugCrowd, one may think that you need a lot of money to build your own bug bounty platform, but it’s not always the case.
Today let’s take a look at the Open Bug Bounty platform – started in 2014 by several security enthusiasts with no VC funding, it’s now grown to a platform with over 100,000 reported vulnerabilities, among which 35,000 are already fixed, including vulnerabilities on Facebook, LinkedIn, Amazon and eBay websites. All this without selling any stakes in the company to VCs, keeping their independence and freedom of creativity. We managed to speak to the Open Bug Bounty team via email and asked them several questions about the platform, its history, and future expansion plans.
What is the concept behind Open Bug Bounty?
Open Bug Bounty is a 100% non-profit project aimed to make the web safer. We provide an open platform where any security researcher, can report a security vulnerability on any website. However, we do not accept any vulnerability that may harm a website or its infrastructure during the testing process (e.g. SQL injection). Our role is to validate submissions and notify website owners by all reasonable means. Once we reach the website owner, s/he gets in contact with the security researcher who discovered the vulnerability, asks for help to patch the vulnerability (if needed) and coordinates disclosure. Ultimately, website owners can thank security researcher if they want, but there is no any obligation. Usually, researchers get symbolic gifts, some cash or sincere gratitude and recommendations in their profiles.
How does your platform compare to commercial Bug Bounty platforms, like HackerOne?
We believe that a bug bounty shall be open for everyone under equal conditions, differently from private bug bounty programs that may discriminate against security researchers by nationality, experience, certifications or other criteria. We connect companies, who cannot or don’t want to continuously run official bounty program but are ready to accept help from volunteers, and white hat researchers motivated to assist them. Some researchers report vulnerabilities via our platform after being unfairly prevented from participating in private bounty programs, but still wish to help. Others may prefer to use our platform after not receiving any response from an official bounty.
Researchers also use our platform as a trusted clearinghouse by using the private submission feature to validate their submissions to official bounty programs. The private submission will be validated and confirmed by us but will be accessible only via a secret link that the researcher may send alongside the official submission to independently confirm vulnerability discovery. This can be helpful when a company denies the existence of the vulnerability or says that it has been previously reported to refuse bounty payment (a frequent case, unfortunately). Afterward, such submissions can be deleted without any mention in public and thus not violating the rules of bounty payment.
Which security researchers use Open Bug Bounty?
We have people from many different countries, some of them are already working in the industry for several years, others are students. Open Bug Bounty is a great example of a volunteering project in the cyber security industry. We know that some top researchers get job offers from security companies. People start citing their Open Bug Bounty profiles with their achievements on LinkedIn and CVs. Trust and credibility of our community is continuously growing.
You recently started accepting CSRF and Improper Access Control vulnerabilities, any plans for SQL injections or RCEs?
As anyone can ethically and responsibly report a vulnerability to a website owner via our platform, everything is based on non-intrusive testing approach. Therefore, we are currently evaluating this options, but we are not ready to put them into production yet.