Today, Open Bug Bounty has reached 100,000 fixed vulnerabilities in pursuit of its honorable goal to make the web safer. Open Bug Bounty accepts only XSS and CSRF vulnerabilities that cannot harm the website or its users unless maliciously exploited in the wild. Such a non-intrusive approach makes sense, as security researchers can ethically report and help to patch a security vulnerability on any website even without a formal bug bounty.
Recently, also the Open Bug Bounty project announced a revision of its internal processes to comply with the ISO 29147 standard. Started as an XSS archive in 2014, the project has evolved into a coordinated disclosure and open bug bounty platform.
The underlying non-profit and fully transparent concept of Open Bug Bounty may seem astonishing compared to paid bug bounty platforms that raise tens of millions of venture funding and get paid by companies to run their programs. However, the scope of Open Bug Bounty involvement in the vulnerability disclosure and remediation process is strictly limited to vulnerability verification and prompt notification of the website owner by all available means, including social networks.
Vulnerability details cannot be disclosed in public before 90 days after any website owner notification. Once the website owner is aware of the vulnerability’s existence, any further contacts with the researcher are beyond any control of the Open Bug Bounty. There is absolutely no obligation to pay security researchers, however Open Bug Bounty advices “at least to say a thank you” for the researcher’s time.
The Open Bug Bounty’s average bounty payment is much lower compared to Google or Facebook XSS’s payouts. However, some researchers get four-digits awards from the grateful website owners. Many website owners write recommendations to researchers’ profiles acknowledging their work and help. Others send books, gadgets, branded gifts or even cakes and candies.
We spoke with Open Bug Bounty team via email, asking a few questions about their awesome work:
Who are the people behind the project?
We are a small team of less than ten people from different countries, mainly employed in IT or cybersecurity. We even have people with legal background among our contributors.
How do you organize your operations?
Actually, there is no hierarchy or long-term planning. We all spend some of our spare time on the project when we don’t have other things to do. Our community brings great ideas that we try to implement without much delay.
What are the upcoming improvements, if any?
We frequently receive valuable feedback both from the researchers and website owners to facilitate coordination, improve notification and accelerate remediation processes. These are our priorities that we continuously implement whenever we have some time.
Do you compete with commercial bug bounty platforms?
We don’t think so. They have completely different service and value-proposition suitable for large organizations with mature cybersecurity. Open Bug Bounty is a totally open and transparent community, where every security researcher or website owner is welcome without any pre-requisites but ethics and mutual respect. We have a well-deserved success and recognition in our niche and we are pretty happy with it.
Do you plan to offer any commercial services on top of your platform?
No. We believe that bug bounty should remain open, transparent and beneficial only for the researchers and website owners.
What is your ultimate goal with your project?
Making the web a safer place. We are not looking for glory or profit. Joyful tweets from the community is the best award we may have. And we are excited that we see such tweets more and more frequently.
If you are a website owner, admin or even an external cybersecurity service provider (e.g. WAF operator), you can subscribe to instant vulnerability alerts to get notified once a vulnerability is spotted on your domain. If you are a security researcher inspired to make the web safer – you need just to sign up using Twitter and you are a part of the self-regulated community of white hats.