Online Tools For Bug Disclosure Abound

Whats driving the bounty of software vulnerability disclosure offerings today from Bugcrowd, HackerOne, and Synack.

PayPal was one of the pioneers of internal bug bounty programs. But like other companies that have led the curve with in-house programs that pay researchers a fee for finding valid vulnerabilities in their software, the digital payment firm found that running such a program is no easy feat.
Its very difficult to have enough resources internally to manage the program and match wits with researchers out in the world, says Gus Anagnos, who developed and ran PayPals two-year-old internal bug program.
Fielding bug submissions as they come in and budgeting for the payments to researchers is challenging. Its also very difficult to manage researchers and the expectations they have in payment and time to fix, says Anagnos, who left PayPal this year to become vice president of strategy and operations at Synack, a startup offering a vulnerability disclosure program and other security services.
The reason I joined Synack is that I noticed, even though theres a tremendous amount of value in having bug bounty programs, its still very difficult to run them internally, he says. I left PayPal to come to Synack to take a great bug bounty model and create a new model more than the traditional bug bounty program, and to address items that in-house programs have a hard time addressing.
Synack, like newcomers Bugcrowd and
HackerOne
, offers companies an online platform for coordinating vulnerability disclosure, a process that traditionally has been conducted via email correspondence. The company hires out a small group of hand-picked outside researchers who provide its vulnerability discovery service.
Anagnos says Synack technically is not a middleman nor a bug bounty service. We provide a technology platform that automates the process that vetted and trusted security professionals use to find vulnerabilities that only humans can find, he says.
Its outside research team spans 21 countries and consists of members whose day jobs are in academia, government, Google, Facebook, and PayPal.
The social media firm Tagged.com initially launched its own bug bounty program in-house, but it soon began to overwhelm the companys IT staff. We started receiving bug bounty submissions, and our help desk spent the majority of time validating bugs, which in essence wasnt scalable, says Boris Sverdlik, who worked on the program. Sverdlik is now head of infrastructure security for the digital branding software firm TubeMogul.
Some researchers were trying to get paid on every hit on our [Tagged.com] API, he recalls. So Tagged solicited Bugcrowds online bug bounty services to get a grip on the disclosures it was fielding. Bugcrowd maintains a do not test list… We worked with them to go through the list and block what we dont want to see, and that increased the efficiency of my group. And we were able to offload the validation and auditing.
Vulnerability disclosure has gone through a major transformation over the past five years. For a long time, researchers got either a shout-out or shouted at for their discoveries -- if a vendor even responded at all. Many were threatened with legal action.
The game changer that made bug bounties more of a mainstream phenomenon came last year, when Microsoft, one of the biggest bug bounty holdouts among software vendors, finally threw its hat in the ring with a
bugs for bucks program
of its own. Katie Moussouris, then senior security strategist at Microsoft, spearheaded the move, joining Facebook, Google, Mozilla, and PayPal, which preceded Microsoft with programs of their own.
Moussouris left Microsoft in May of this year for HackerOne, a startup that spun off a bug bounty project initially funded in part by Microsoft and Facebook. Shes now chief policy officer and works alongside former Facebook director of security Alex Rice, who is now CTO of HackerOne. The startups free online platform automates the vulnerability disclosure process between the researchers who find the bugs and the affected software vendors and websites. HackerOne charges a 20% service charge when a bounty payment is transacted.
Im thrilled there is an industry now for vulnerability disclosure, Moussouris says. Where the bad guy would find a vulnerability before an organization fixed it, you can now tap into a worldwide pool of security researchers. Its been a very powerful thing.
Microsoft and other firms have data showing a tapering off of software flaws after the initial spike when the programs begin, she says. Weve seen this with a number of our customers at HackerOne.
The biggest misconception is that a vulnerability disclosure program should automatically include a bounty program from the get-go. However, starting with a bounty as part of the program is not the best idea for everyone, she says. Starting a bounty from the onset may seem like a cool and trendy idea, but if youre not solid in what youre going to do with that process, youre going to have a bad experience.
Firms with a limited software portfolio find its more straightforward to have the bounty rolled in right away, according to Moussouris, but thats not the case for firms with larger software sets.
For researchers, the new model of online community and for-hire vulnerability disclosure is much less painful -- and often much more lucrative than in the old days. It wasnt long ago that a security researcher could get sued for reporting a vulnerability to a vendor or online business. It used to be really scary, says one of Bugcrowds most prolific bug-finders, a researcher who hunts for bugs after his day job at a software firm and asked his name not be published. Now we wont get sued.
Bugcrowd is a crowdsourced site that also helps organizations set up bug bounty programs online. It offers a free vulnerability disclosure platform called Crowdcontrol, where researchers submit their vulnerability finds to the affected site or software vendor, and those discoveries get vetted.
Casey Ellis, co-founder and CEO of Bugcrowd, says the firm charges a fee for any bug bounty payment transactions. They can use the platform itself and the triage team we have in-house for free.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Online Tools For Bug Disclosure Abound