OBB: increasing quality and value
Posted: Sun Jul 23, 2017 8:24 pm
Hi Folks,
So far, you have helped fixing over 40k vulnerabilities - an impressive and outstanding number you should deservedly be proud of!
Not many commercial crowd security testing platforms have brought the same value to website owners as our community. In order to preserve the integrity of our community and our values, we believe now it's a reasonable and appropriate timing for the following amelioration and enhancement of our vulnerability disclosure process:
1) Full Disclosure is removed from the platform. It has become highly unpopular among our community (less than 1% of submissions) and we believe that it's not required anymore.
2) Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days. This will be retroactively applied to all current vulnerabilities (please don't be surprised and be patient if this changes have not occurred yet). By following these rigorous and highly-responsible timelines, we will guarantee full fairness and high ethics of the vulnerability disclosure process.
3) Prizes and medals will now be delivered for coordinated disclosure and for various technical achievements (e.g. interesting WAF bypass technique). We primary want to encourage a quality of submissions, not quantity. All previous statistics and numbers involving quantity will remain unchanged in your profiles.
4) We also improved and enhanced our default notification system to make sure that website owners will get the notification in a reliable and timely manner.
5) Minor design and texts revision everywhere on the website, some are still in progress. Please report any bugs here.
Please also have a look on the new description of the project - https://www.openbugbounty.org/open-bug-bounty/ - and let us know if you think there is something else than can be improved - your opinion is important for us!
Together we make Internet safer, and we shall continue doing so.
So far, you have helped fixing over 40k vulnerabilities - an impressive and outstanding number you should deservedly be proud of!
Not many commercial crowd security testing platforms have brought the same value to website owners as our community. In order to preserve the integrity of our community and our values, we believe now it's a reasonable and appropriate timing for the following amelioration and enhancement of our vulnerability disclosure process:
1) Full Disclosure is removed from the platform. It has become highly unpopular among our community (less than 1% of submissions) and we believe that it's not required anymore.
2) Open Bug Bounty submissions can now be disclosed on public in 90 days since submission to give to a website owner all reasonable possibilities to patch the vulnerability without putting its users at any risk. If the vulnerability is patched, this period is reduced to 30 days. This will be retroactively applied to all current vulnerabilities (please don't be surprised and be patient if this changes have not occurred yet). By following these rigorous and highly-responsible timelines, we will guarantee full fairness and high ethics of the vulnerability disclosure process.
3) Prizes and medals will now be delivered for coordinated disclosure and for various technical achievements (e.g. interesting WAF bypass technique). We primary want to encourage a quality of submissions, not quantity. All previous statistics and numbers involving quantity will remain unchanged in your profiles.
4) We also improved and enhanced our default notification system to make sure that website owners will get the notification in a reliable and timely manner.
5) Minor design and texts revision everywhere on the website, some are still in progress. Please report any bugs here.
Please also have a look on the new description of the project - https://www.openbugbounty.org/open-bug-bounty/ - and let us know if you think there is something else than can be improved - your opinion is important for us!
Together we make Internet safer, and we shall continue doing so.