The Open Bug Bounty Community fixes over 1m vulnerabilities

The Open Bug Bounty Community has helped fix over 1,000,000 vulnerabilities since its inception. Open Bug Bounty is an open, disintermediated, community-driven Bug Bounty platform for coordinated, responsible and ISO 29147 compatible vulnerability disclosure. 

The Open Bug Bounty project enables website owners to receive advice and support from security researchers around the globe in a transparent, fair and coordinated manner to make web applications better and safer for everyone’s benefit.

Open Bug Bounty host Bug Bounty programmes for companies including Telekom Austria and Drupal, with over 20,000 security researchers.

Started by a group of independent security experts in June 2014, Open Bug Bounty is a non-profit platform designed to connect security researchers and website owners in a transparent, respectful and mutually valuable manner. Its purpose is to make the Web a safer place for everyone’s benefit.

A spokesperson from Open Bug Bounty says: "The Open Bug Bounty project is an interesting phenomenon that demonstrates that global crowd security testing become a mature industry that can be a valuable enhancement for the corporate application security program. Traditional penetration testing and vulnerability scanning are merely the baseline of application security. Therefore, when security researchers with different backgrounds and experience complement your application security testing, this may bring additional findings that require unusual creativity and a lot of time to be discovered.

“Organisations should, however, be prudent when setting up a bug bounty programme and ensure that external testing does not violate data protection legislation. For example, if you authorize external security researchers to test your production system, the former may access sensitive personal data or financial information. How, when and if this data will be eventually removed from researchers’ systems often remains unclear, let alone a situation when a researcher’s device is compromised by cybercriminals and the information is stolen by the bad guys."

About the Open Bug Bounty – how it works

Open Bug Bounty’s coordinated vulnerability disclosure platform allows any security researcher reporting a vulnerability on any website as long as the vulnerability is discovered without any intrusive testing techniques and is submitted following responsible disclosure guidelines.

The role of Open Bug Bounty is limited to independent verification of the submitted vulnerabilities and proper notification of website owners by all available means. Once notified, the website owner and the researcher are in direct contact to remediate the vulnerability and coordinate its disclosure. At this and at any later stages, we never act as an intermediary between website owners and security researchers.

The site only accepts Cross-Site Scripting, CSRF and some other vulnerabilities that figure among the most common web application vulnerabilities today.

When reporting GDPR PII exposure, it does not store the PII but the blurred screenshot after verifying the vulnerability.

The proper process of testing for these vulnerabilities is harmless and cannot damage a website, database, server or related infrastructure. Open Bug Bounty does not accept vulnerabilities that can, or are intended to, harm a website, its data or related infrastructure.

Open Bug Bounty prohibits reporting of vulnerabilities that were detected by vulnerability scanners and other automated tools that may impact website performance or cause any other negative impact.

Once a vulnerability is reported and confirmed, Open Bug Bounty immediately sends a security alert to the website owner following ISO 29147 guidelines, as well as to specific security contacts provided by the researcher. 

Security researchers can publicly disclose technical details of the vulnerabilities they report if they wish to do so. However, in order to give website owners appropriate time to remediate the vulnerability without putting any undue pressure on them, technical details can be disclosed only in 90 days from the original submission, or in 30 days if the vulnerability is patched.

--