Five of the Top Bug Bounty Platforms
Bug bounties are a form of results-based outsourced code checking. It is a cost-efficient and effective method of crowdsourcing a company’s code analysis, while paying only for results.
Today’s software is more complex and intricate than ever. Proprietary code is often combined with third-party and open source components in order to fine-tune a product to an organization’s needs. With so many variables at play, it is almost impossible for a single development team to anticipate and fix every security vulnerability. This security aspect is increasingly crowdsourced via bug bounties – payments to independent researchers for finding flaws in websites and applications.
Large companies often operate their own bounty program, but this is not always feasible for smaller companies. This is where the third-party bug bounty platforms come in. A good bug bounty platform provides the infrastructure for organizations to specify their needs and offer appropriate rewards, while giving researchers and ethical hackers a streamlined way to submit their findings and be rewarded.
More organizations are embracing the potential of bug bounties, and more ethical hackers are directing their efforts to earning money this way. This improves the market for the platforms, and the efficiency of finding bugs. Generally speaking, the more dangerous the flaw, the bigger the reward.
Here are five of the leading bug bounty platforms available to companies and ethical hackers.
Security issues are a threat to cryptocurrencies, since exploits can drastically damage a token’s market value. It may not be surprising, therefore, that bug bounty platforms have a close relationship with cryptocurrencies. In 2018, there were over $800,000 worth of bug bounty payouts for blockchain-related vulnerabilities alone. This may have been the inspiration behind HackenProof, the bug bounty platform offered by Hacken, a multilateral organization focused on cryptocurrency, blockchain, and cybersecurity.
HackenProof is one of the youngest bug bounty platforms and the newest entry on this list – but already has an impressive client-base considering it did not fully start operation until April 2018.
The Morpheus cryptocurrency and supply chain network (Morpheus.network) recently announced its partnership with HackenProof. “HackenProof will connect Morpheus.Network with thousands of independent security researchers from around the world to ensure that our code meets the highest standards of security,” it announced.
As a very young bounty platform, HackenProof’s greatest tests are likely still to come, but after a promising first year and with the platform attracting new clients, this crypto-based bug bounty marketplace is worth watching.
4. Open Bug Bounty
Open Bug Bounty is a non-profit platform with high accessibility for researchers and site owners. The open nature of the platform can make it especially attractive for ethical hackers to report vulnerabilities using non-intrusive testing techniques. Unsurprisingly, most of the reported vulnerabilities are XSS and CSRF, less frequently improper access control or similar ones.
The platform itself does not take a commission from reported bounties and does not charge a fee for the organizations making use of it. Instead, researchers can negotiate a fair bounty with site owners if latter want to pay, otherwise researchers have an impressive hall of fame with laudable recommendations by website owners. The best researchers collect badges for responsible disclosure, mostly for the vulnerabilities they helped patching following responsible disclosure process under ISO 29147 guidelines.
Despite some hesitations in the past about sustainable viability of such a self-regulated community, Open Bug Bounty has seen long-term success for researchers and now for site owners. Some reputable companies like GoDaddy are now running their bounties on it. In February 2018, the platform announced that it had recorded over 187,000 fixed vulnerabilities.
YesWeHack was the first bug bounty platform to be founded within the EU, and now includes researchers from over 120 countries across the world. YesWeHack goes for a streamlined approach to creating bounty programs, and offers both public and private bounty services. The platform has aimed to stay ahead of the technology curve, and claims to have been DevSecOps-ready since its inception. (Make sure to check one of our previous blogs for more on DevSecOps)
In mid-February 2019, YesWeHack raised €4 million in early stage venture funding from Open CNP to help expand operation in Europe and Asia. At the time, it announced on Twitter that it “plans to disrupt Europe's cybersecurity market!”
While in Europe, it is worth mentioning the EU’s Free and Open Source Software Audit (FOSSA) project, run by MEP Julia Reda. This is offering EU-funded bounties for bugs found in major open source applications, including Filezilla, Apache Kafka, Apache Tomcat, Notepad++, PuTTY, VLC, and Drupal. Any bugs found and fixed could just prevent the next Drupalgeddon (see entry #5 in this list.)
Several of the FOSSA bounties are being offered on the HackerOne platform (see entry #1 below).
BugCrowd is the longest-established entry on this list and has been among the leaders in the field ever since its inception. As one of the biggest and most venerable bug bounty platforms, BugCrowd has helped set the standard for how bounty platforms in general operate. Clients can establish either a public or private bounty program, with different options available for organizations of different sizes and resources.
BugCrowd promises that researchers earn 100% of any successful bounties, making it an attractive platform from the bounty-hunter’s perspective. In return for this, researchers are held to a high standard of performance. The hunters must maintain an acceptance rate of discovered issues above 50% to be able to remain on the platform. This discourages frivolous bounty submissions, but researchers are also considered inactive if they do not make a submission for 90 days, meaning the platform has high standards of both accuracy and activity.
BugCrowd has raised a total of $48.7 million in a series of seed and venture capital rounds – the most recent being a Series C funding round raising $26 million in March 2018.
This has been the largest bug bounty platform for several years. The platform boasts the largest amount of registered ethical hackers – over 166,000 as of 2017. Most of the biggest names online – those who don’t exclusively operate their own bug bounty program – use HackerOne, including WordPress, Twitter, and Uber, among others. The US government’s Hack the Pentagon security events use the HackerOne platform, and several of the EU’s FOSSA open-source bug bounties are handled by HackerOne.
HackerOne is often cited as the platform leading the way in the new phenomenon of ‘bounty-hunting as a career’. It’s true that bounty platforms can make things a lot easier for hunters to find bounties and get paid, competition in the field is growing.
HackerOne has raised a total of $74 million in three venture capital rounds. The most recent – a Series C round in February 2017 – raised $40 million.
Making enough to live on from bug bounties can be a struggle for any hunter without the reputation to be invited to private programs. A January 2019 blog by Trail of Bits wrote that this may not be the best system for companies to use either, saying “It’s nice to think that you have 300,000 sets of eyes scrutinizing your code, but this number includes zombie accounts and people who never find a single bug…in reality, only an elite few are getting the work done and cashing in.”
As valuable as they can be for businesses, it’s important to remember that bug bounties are far from the last word in security. In 2017, Apple’s attempt to launch an iOS bounty program failed as many researchers saw iOS vulnerabilities as ‘too valuable’ to disclose. Hackers who find a bug always have the choice of selling to the company as a found bug, or to criminals as an exploit.
The bug bounty system can be abused from the other side as well. Uber infamously paid a hacker $100,000 in 2016 trying to avoid disclosing a huge data breach, with the payout disguised as a bug bounty at the time.
Despite all the caveats, the right bounty program hosted on the right platform can be a great asset when used alongside a well-designed general security policy. Even if some of the bounty platforms say otherwise, bug bounties should only be considered as one layer of a multi-layered security approach to security testing.