An alternative to costly commercial bug bounties, there is record growth in Open Bug Bounty program. We contacted the security expert to provide his comments on the growth of this open bug bounty program.
From their site: “With almost half-a-million vulnerability reports today, we are happy to present you a brief recap of our relentless and steady growth in 2019 attained with your valuable support and contribution that we greatly
- 203,449 security vulnerabilities were reported in total (500 per day), representing a 32% yearly growth
- 101,931 vulnerabilities were fixed by website owners, likewise showing a 30% growth compared to the previous year
- 5,832 new security researchers joined the community, making the total number of researchers and security experts 13,532
- 383 new bug bounty programs were created by website owners, now offering 657 programs in total with over 1342 websites to test
A spokesperson says on the blog post: “We are receiving a considerable number of incoming proposals from commercial companies to support the project, or even to merge with their own solutions and platforms. We may consider one or even several partnerships in 2020 to ensure even a faster development of our project, however, the Open Bug Bounty will always remain open, community-driven and free.”
On further digging on their site, they have testimonials on their site from the likes of IKEA, American Bar Association, Canon, Virgin Australia and more (on their home page). These companies have been approached by researchers via Open Bug Bounty who have found XSS or other vulnerabilities on their sites.
This is a quite impressive growth for a non-profit project. It even outshines commercial bug bounty platforms that raised millions in cash from VCs. Their community-driven approach seems to be sustainable, delivering transparency both for security researchers and website owners. Quite a lot of organizations complain that commercial bug bounty platforms initially appear to be less expensive than traditional penetration testing, but after a careful examination of all fees and hidden costs, may easily become 2-3 times more expensive. The advantage of Open Bug Bounty project is that it’s free, and this will definitely attract its unique audience. Their move towards DevSecOps integrations and cooperation with commercial companies make a lot of sense, ensuring further development of the project.
In 2020, crowd security testing will remain an important enhancement of existing application security testing and defence arsenals. One shall, however, keep in mind that application security is a multidimensional process composed of various solutions for different stages of code deployment. Static testing, for example, is invaluable for the development phase, automated dynamic testing and penetration testing help in pre-production, while WAF/RASP is absolutely necessary in a production environment.