The Open Bug Bounty Project started in 2014 as a non-profit program to connect security researchers and website owners in a more transparent, and mutually rewarding way, with the aim of making the Web a safer place for everyone.
The program has so far attracted over 10,000 researchers, with 498,505 coordinated disclosures, 272,564 fixed vulnerabilities and 681 bug bounties from 1,374 websites. In fact, the success story is perhaps as a reinventing of "next-generation penetration testing" or similar services for betterment of all.
But still there is uncertainty in the future of commercial bug bounty platforms, despite that the not-for-profit Open Bug Bounty project has reported impressive growth and traction.
The Open Bug Bounty Project History
The project started in June 2014 by a group of independent security researchers, as a non-profit platform, and there is no financial or commercial interest in the project.
Before now, the founding researchers pay the hosting expenses and development costs from their pocket, and have spend several nights verifying all new submissions. But today, Open Bug Bounty is hosting about 680 bug bounties, which offers monetary or non-monetary remuneration for the security researchers from over 50 countries.
Such companies as Acronis, Telekom Austria, or United Domains are running their bug bounties at Open Bug Bounty. And the coordinated vulnerability disclosure platform allows anyone to report a vulnerability as long as the vulnerability was not known through intrusive testing techniques and submitted with responsible disclosure guidelines.
What constitutes Safe and Non-Intrusive Testing?
Open Bug Bounty only accept Cross-Site Scripting, CSRF (Cross-site request forgery) and vulnerabilities that feature among the most commonly reported web application vulnerabilities today.
Initially, they accepted submissions of XSS, Improper Access Control, and other security issues on any site condition to strictly non-intrusive testing, with coordinated disclosure and respect of their code of conduct: When reporting GDPR PII exposure, they do not store the PII but the blurred screenshot after verifying the vulnerability.
The process of testing the vulnerabilities is harmless and cannot lead to damage for the website, database, server or related infrastructure.
Open Bug Bounty prohibits reporting of vulnerabilities that were detected by vulnerability scanners and other automated tools that can impact on website performance or cause other issues. And they do not accept any vulnerabilities that can, or intended to harm a website, its data or related infrastructure.
The Bounties and Rewards
Website owners can express gratitude to a researcher for reporting vulnerability in a most responsible way by proper and proportional reward system to the researcher's efforts.
Open Bug Bounty encourage website owners to at least say a “thank you” to the researcher or write brief recommendation in the researcher’s profile. But there is, however, absolutely no obligation or duty by site owners to express a gratitude in any way.
The project promotes positive, constructive and mutually respectful communications between website owners and security researchers. And the researchers on the platform get various honorary badges for quality of their submissions and the number of websites they helped to secure.