Tag: Bug Bounty

The Vulnerability Disclosure Process: Still Broken

Vulnerability disclosure has long been the third rail in the relationship between researcher and vendor. While bug-bounty programs have been a step in the right direction, friction still exists for a meaningful percentage of vendors and researchers.

“The relationship between vulnerability researcher and vendor in the context of disclosure is broken,” said Casey Ellis, chairman, founder and CTO of bug-bounty platform Bugcrowd. “If you look at the entire ecosystem of companies and researchers – especially outside the scope of a bounty program – it still needs to be fixed.”

Read more about why, despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits, on Threatpost.

Google Paid Out Nearly $3 Million to Security Researchers in 2017

Tech giant Google paid out almost $3 million to security researchers in 2017 as rewards for the vulnerabilities they found in its products and services. Around $1.1 million each was paid for bug reports specific to Google and Android products while Chrome awards accounted for the rest of the Vulnerability Reward Program.

Read about the Google Bug Bounty payouts on eWeek.

Small Businesses Are Going to Need Bug Bounties to Combat Cyber Attacks

Read why George Diab says that even small and medium businesses are going to need bug bounty programs to combat cyber threats on Tech :

The likelihood of cyber attacks on small businesses is actually higher than the constant and varied cyber intrusions being reported worldwide. The New York Times reports that 62 percent of all such attacks are on SMBs, at a rate of about 4,000 per day.

Read his full article here.

Worried about attacks? Maybe you’re not getting hacked enough, report finds

Hackers gonna hack, but that doesn’t mean we need to hand them the keys. While no code or system connected to the internet can ever claim to be impervious to attack, one of the best ways to secure code may actually be to invite hackers in: the right kind of hacker.

Read about the new report by HackerOne which reveals that bug bounty programs are successful yet a large number of organisations dont use them on Tech Republic.

How hackers became a new breed of bounty hunters in cybersecurity

Shortly after Christmas, 2011, Ruby Nealon sold the Nintendo Wii games console his mother had bought him to fund an Open University course in computer software. He was 11 and it was the start of his unconventional education as a computer prodigy, which led him to drop out of school and start a full time degree at 14.

Read how hackers have become a new breed of bounty hunters for companies on The Telegraph.

Considering a Vulnerability Disclosure Program? Recent Push Raises Questions for General Counsel

Read lawyer’s view on vulnerability disclosure programs according to  Megan L. Brown and Matthew J. Gardner on Circle ID :

Several years ago, vulnerability disclosure programs, also called “bug bounty” programs, were novel and eyed with suspicion. Given sensitivities and potential liabilities, companies are wary of public disclosure and hackers seeking to exploit research.

Read their full article here.

Ethical hackers: A question of choice

Read Greg Masters take a look at ethical hackers and what future holds for them on SC Magazine.

It seemed like an anomaly in August 2016 when news broke that a group of security researchers at MedSec, a Miami-based startup cybersecurity research firm focused on the health care industry, brought their findings of a security vulnerability in a medical device not to the manufacturer, but rather to an investment firm, Muddy Waters Capital.

Read his full article here.