Brief Recap of Open Bug Bounty’s Record Growth in 2019

Dear Researchers and Website Owners,

First of all, we wish you a Happy and Secure New Year 2020:

With almost half-a-million vulnerability reports today, we are happy to present you a brief recap of our relentless and steady growth in 2019 attained with your valuable support and contribution that we greatly appreciate:

  • 203,449 security vulnerabilities were reported in total (500 per day), being a 32% yearly grow

  • 101,931 vulnerabilities were fixed by website owners, likewise showing a 30% growth compared to the previous year

  • 5,832 new security researchers joined the community, making the total number of researchers and security experts 13,532

  • 383 new bug bounty programs were created by website owners, now offering 657 programs in total with over 1342 websites to test

Best security researchers and top-rated Bug Bounty programs are available on the main page of our website, where we recently refreshed the design.

In 2020, we plan to introduce new features requested by the researchers and website owners to further improve their experience, accelerate smooth communications and reduce vulnerability remediation time.

New DevSecOps vulnerability data export options are also coming soon to facilitate crowd security testing integration with corporate CI/CD and DevSecOps strategy.

We are receiving a considerable number of incoming proposals from commercial companies to support the project, or even to merge with their own solutions and platforms. We may consider one or even several partnerships in 2020 to ensure even a faster development of our project, however, the Open Bug Bounty will always remain open, community-driven and free.

Please don’t hesitate to promote our project among you contacts and on social networks!

Thank you for making Web a safer place with us!

Open Bug Bounty pursues a steady growth in 2019 with over 212,148 fixed vulnerabilities

Hi Folks,

Some inspiring statistics [January – June 2019] of our community for your attention:

Submissions:

  • Notable reports for Apple, Amazon, Airbnb, Asus, BBC, MIT and 98 more from Alexa Top 1000
  • 92,598 new vulnerability reports amid which 47,812 are already fixed (51.6%)
  • Average time to fix is 53 days
  • Most rapid fix is 12 minutes

Researchers:

  • 931 new security researchers joined our community
  • 311 researchers were recommended by website owners

Bug Bounties:

  • 516 remunerated bug bounties started with 1022 websites in total

Most Untrivial Gifts to the Researchers:

We are now the most rapidly growing open community committed to responsible disclosure. We continue to remain free, open and transparent.

We really make web safer, let’s continue this great journey!

Enhanced ratings for bug bounties at Open Bug Bounty

Following, a steady growth of new bug bounty programs at Open Bug Bounty (almost 500 soon!), we gladly present the following new features on the platform:

– Detailed bug bounty ratings by researchers
– Comments on bug bounty available to researchers
– Responses to the comments available to bug bounty owners

Thereby, security researchers will now be able to focus on reputable bug bounty programs committed to timely remediate reported vulnerabilities and fairly recognize efforts of the researchers.

The new features are designed to further promote and advance a frictionless and transparent dialogue between security researchers and bug bounties owners.

Please use a respectful, fact-based and improvement-oriented style for all your comments and responses!

API for bug bounty owners

Open Bug Bounty released a free API available for all bug bounty owners. You can access the API in you bug bounty management panel in “Bug Bounty Notifications” section.

The API allows instantly retrieving the data on all new submissions for your website and integrate it internally with your DevSecOps.

Please do not forget to:

(a) timely remediate and request vulnerability patch verification

(b) thank the researcher(s)!

If you want to start a bug bounty at no cost click here: https://www.openbugbounty.org/bugbounty/create/

GDPR PII exposure can now be securely reported via Open Bug Bounty

Open Bug Bounty community is growing: we have over 400 [fee free] bug bounty programs running now, and over 200,000 fixed security vulnerabilities. To facilitate further sustainable growth and to help website owners spot accidental exposure of personal data (PII) on their websites in a timely manner,  we implemented a new type of non-intrusive submission – GDPR PII Exposure.

Here is how it works:

  • Researches who find an unprotected document (e.g. PDF, MS Office document, HTML page, etc) with personal data (PII) can now report this to the website owner in a reliable and discreet manner.
  • Website owners will be able to promptly remove or anonymize the data if the published PII is in a potential violation of GDPR requirements.
  • Open Bug Bounty will not process or store any PII, and will only require anonymized sample of data for submission verification purposes.

Please carefully read the guidelines and make sure you will deliver value and support to the website owners when submitting such entries. Website owners are welcome to update their bug bounty programs, as usual and as always at no cost – we remain a free and non-profit project.

Among other upcoming improvements and updates:

  • new badges for the best bloggers – you can share your researcher experience in our blog
  • a free API for bug bounty owners (to quickly fetch vulnerabilities reported on their websites)
  • a possibility to edit unapproved reports for security researchers
  • our website speed tuning by adding new caching system

Thank you for your support and stay tuned!

Launching Open Bug Bounty Blog and new platform features

Hey Folks,

Following our ongoing success, please welcome:

1) Open Bug Bounty blog available for security researchers to share their bug hunting experience, discuss new web application attacks and provide website hardening guidelines for website owners.

Please read the rules before posting: Blog Posting Rules

Best blogs will be highlighted and promoted in our social networks, badges for top bloggers are also coming.

2) Website owners and security researchers can now comment their submissions (login required) to privately share vulnerability details, provide faster remediation and agree on bounty (if any). These comments will be visible only to them.

3) Website owners can now request patch verification at any time to change submission status to “fixed”.

This is a first major update in 2019, other major novelties are coming soon – stay tuned ;]