Speaking with the team at Open Bug Bounty was the highlight of her day for Aviva Zacks of Safety Detectives. She learned that their community-driven spirit is exactly what advantageously differentiates their project from the others out there.
Safety Detectives: What has your journey to Open Bug Bounty been?
Open Bug Bounty: Started as a small project for XSS vulnerability disclosure, the Open Bug Bounty project is now a part of the Top 5 Bug Bounty programs as per The Hacker News 2021 ratings. We see huge potential in crowd security testing and responsible disclosure, and we frankly believe that this emerging market should be open, fair, and transparent. Today, we have over 1 million submissions, almost 1,500 active bug bounty programs, and more than 23,000 security researchers from around the globe. We enjoy this diversity and openness.
SD: What is a Bug Bounty?
OBB: Bug Bounty is a formal authorization and invitation from a website or mobile app owner to conduct specific security testing or reverse-engineering of the application to detect security and privacy flaws to report them for mitigation. Many application owners pay pretty generous monetary awards for serious security vulnerabilities, others— like startups—may offer letters of gratitude, vouchers, or some cool goodies. On our platform, we have seen awards of expensive electronics, rare wine, 5-digit monetary payouts, or just corporate t-shirts.
SD: What verticals use your services?
OBB: We are feeling very comfortable with open-minded businesses who believe that paying an intermediary in a bug bounty program is an excessive fee. Being a non-profit project, Open Bug Bounty is totally fee-free for website owners and commission-free for security researchers. Our goal is to make the Web a safer place.
SD: How do you stay ahead of the competition?
OBB: We do not perceive HackerOne or BugCrowd—the leading commercial bug bounty platforms—as our competitors. Contrariwise, we rather perceive them as complementary to what we do. For example, we do not provide manual triage for RCE or SQL injection vulnerabilities—due to the high sensitivity and confidentiality of such submissions. For submissions like XSS or CSRF, we are, however, a perfect place that can significantly reduce costs by offering a turn-key managed solution for free. Furthermore, many young talents work on several platforms at once, including highly vetted Synack, and our website owners have access to the best talents around the globe. We see a steady growth of female hackers at Open Bug Bounty and we truly like this.
SD: What are the worst cyberthreats out there today?
OBB: Perhaps lack of security training and incompetent cybersecurity management dominate the root causes of cybersecurity breaches. There is a myriad of legends about Russian or Chinese hackers, but most of them are truthful because breached organizations do not follow even the very basics of cybersecurity hygiene. Ransomware is a perfect example of corporate negligence, carelessness, and lack of accountability embodied in a “this is not my job” philosophy.
SD: How is your company changing now that we are living through this pandemic?
OBB: We offer SMEs, municipal government, and non-profit organizations a trusted and cost-free platform to leverage crowd security enthusiasm to make their applications secure and to prevent data breaches. We see large e-commerce and even banking organizations starting their bug bounty and vulnerability disclosure programs at Open Bug Bounty, and we are happy to welcome all of the newcomers to make their crowd security journey a sustainable success story.