Vulnerability disclosure has long been the third rail in the relationship between researcher and vendor. While bug-bounty programs have been a step in the right direction, friction still exists for a meaningful percentage of vendors and researchers.
“The relationship between vulnerability researcher and vendor in the context of disclosure is broken,” said Casey Ellis, chairman, founder and CTO of bug-bounty platform Bugcrowd. “If you look at the entire ecosystem of companies and researchers – especially outside the scope of a bounty program – it still needs to be fixed.”
Read more about why, despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits, on Threatpost.
Tech giant Google paid out almost $3 million to security researchers in 2017 as rewards for the vulnerabilities they found in its products and services. Around $1.1 million each was paid for bug reports specific to Google and Android products while Chrome awards accounted for the rest of the Vulnerability Reward Program.
Read about the Google Bug Bounty payouts on eWeek.
Bug bounty programs have become an increasingly popular way for organizations to find and fix vulnerabilities in their software and services. Until relatively recently it was mainly the software companies and technology firms that employed the tactic.
Read/see the slideshow explaining the nine biggest bug bounty programs on Dark Reading.
Bug bounties. The idea turns some folks’ stomachs. Invite people to break into your system and steal things and then when they do reward them? Well, yeah. You want people finding these cracks and telling you about them before someone with bad intentions does.
Read about the top five reasons why every organisation should have a bug bounty program on Tech Republic.
Read why George Diab says that even small and medium businesses are going to need bug bounty programs to combat cyber threats on Tech :
The likelihood of cyber attacks on small businesses is actually higher than the constant and varied cyber intrusions being reported worldwide. The New York Times reports that 62 percent of all such attacks are on SMBs, at a rate of about 4,000 per day.
Hackers gonna hack, but that doesn’t mean we need to hand them the keys. While no code or system connected to the internet can ever claim to be impervious to attack, one of the best ways to secure code may actually be to invite hackers in: the right kind of hacker.
Read about the new report by HackerOne which reveals that bug bounty programs are successful yet a large number of organisations dont use them on Tech Republic.
Shortly after Christmas, 2011, Ruby Nealon sold the Nintendo Wii games console his mother had bought him to fund an Open University course in computer software. He was 11 and it was the start of his unconventional education as a computer prodigy, which led him to drop out of school and start a full time degree at 14.
Read how hackers have become a new breed of bounty hunters for companies on The Telegraph.
Read lawyer’s view on vulnerability disclosure programs according to Megan L. Brown and Matthew J. Gardner on Circle ID :
Several years ago, vulnerability disclosure programs, also called “bug bounty” programs, were novel and eyed with suspicion. Given sensitivities and potential liabilities, companies are wary of public disclosure and hackers seeking to exploit research.
Read Greg Masters take a look at ethical hackers and what future holds for them on SC Magazine.
It seemed like an anomaly in August 2016 when news broke that a group of security researchers at MedSec, a Miami-based startup cybersecurity research firm focused on the health care industry, brought their findings of a security vulnerability in a medical device not to the manufacturer, but rather to an investment firm, Muddy Waters Capital.
Tech is no longer confined to Silicon Valley, and neither are dangerous exploits. In its early days, the Internet was more Wild Wild West than World Wide Web. It was a new and insecure frontier full of pseudonyms and scammers eager to take advantage of unsuspecting early adopters.
Read about the 8 unusual bug bounty programs by different companies on PC Mag.