The not for profit bug bounty hunters of Open Bug Bounty recently announced its number of recorded bug bounties had reached 100,000 and that it had completed the revision of its internal process to comply with the ISO 29147 standard.
Open Bug Bounty consists of a team of fewer than 10 researchers from various countries with backgrounds in IT, cyber-security and law, who work to verify vulnerabilities, promptly notify website owners of the flaws and make the Web a safer place for everyone's benefit, according to Techworm.
The programme allows any security researcher to report a vulnerability on any website as long as the vulnerability is discovered without using intrusive testing techniques and follows responsible disclosure guidelines.
The group is not looking to make a profit from the vulnerabilities it reports and only looks to improve the safety of the web.
“We are not looking for glory or profit,” a spokesperson for the team told the publication. “Joyful tweets from the community is the best award we may have.”
High-Tech Bridge chief executive officer Ilia Kolochenko applauded the platform's success and said the programme fills the niche for good-faith researchers and SMEs or NGOs that lack resources to buy penetration testing services or run their own full-scale bounty programme.
“One should, however, keep in mind that any crowd security testing can never substitute a mature application security programme, with SDLC, DevSecOps and continuous security monitoring,” Kolochenko said. “Auxiliary technologies, such as web application firewalls, should also be implemented and maintained to enable proactive security."
The group invites security researchers too join if they also want to help keep the web a safer place.