Bug bounty hunters cash in

Read time 2min 30sec
Vulnerability patching time went down from 189 days in 2017 to 62 in 2018, says Open Bug Bounty.
Vulnerability patching time went down from 189 days in 2017 to 62 in 2018, says Open Bug Bounty.

Bug bounty hunters achieved major milestones during 2018.

This is according to the Open Bug Bounty not-for-profit programme, a platform that performs independent verification of the submitted cyber security vulnerabilities to confirm the existence of vulnerability as a third party, and also to provide proper notifications to Web site owners.

Open Bug Bounty says so far, over 7 700 security researchers found and helped fix over 165 000 security vulnerabilities following its guidelines of non-intrusive testing.

Non-intrusive testing is transparent to the software under test. It usually involves additional hardware that collects timing or processing information and processes that information on another platform.

Open Bug Bounty notes that this year, security vulnerabilities (mostly XSS) were reported on 992 Web sites out of 1 000 from Alexa Top 1 000 sites. The current average patch rate is now 89.4%, it notes.

It points out that an average vulnerability patching time (for all Web sites) went down from 189 days in 2017 to 62 in 2018, almost a 300% increase, emphasising continuously improving submissions quality. "Rating of our fastest fixes is now dominated by patches made in less than 15 minutes," says Open Bug Bounty.

Since the launch of open bug bounty programmes for Web site owners in August 2018, the organisation says 274 bug bounty programmes were created and are currently running with over 766 Web sites.

It notes the highest (publicly disclosed) voluntary payment to a researcher was $15 000 so far. Some of the highlighted publicly disclosed awards are listed here.

While these are positive steps for this project, Ilia Kolochenko, CEO of Web security company High-Tech Bridge, cautions that bug bounty programmes shouldn't be used in isolation for security.

"Bug bounty can be a good complementary enhancement for a mature application security testing programme. However, before implementing a bug bounty, one should carefully calculate the costs and benefits to see whether the bounty will be economically practical. Risks related to bug bounty, particularly sustainable relations with researchers, especially when you have to manage the programme yourself, should also be carefully assessed."

Kolochenko notes Open Bug Bounty is akin to open source software. "It's probably not as beautiful as commercial rivals, but it's free and open.

"It's likely they have found their non-profit market niche and will move forward with their community. One should, however, keep in mind that a bug bounty cannot replace other security controls such as Web application firewalls, and is no silver bullet."

See also