Tag: Bug Bounty

  • The Steady Rise of Bounty Programs, and the Counterpart

    [This was originally published on RiskBasedSecurity.com.] Companies that once said they would not pay for vulnerability information seven years ago, have been steadily expanding their program to pay for more and more vulnerability information and recently made Edge bounties permanent.  Service-oriented companies like Uber, that rely on a significant amount of user interaction and transactions via mobile apps, also utilize…

  • NTIA, Bug Bounty Programs, and Good Intentions

    [This was originally published on the OSVDB blog.] [Note: This blog had been sitting as a 99% completed draft since early September. I lost track of time and forgot to finish it off then. Since this is still a relevant topic, I am publishing now despite it not being quite as timely in the context…

  • Rebuttal: Missing the Value of Bug Bounties

    [This was originally published on attrition.org. This is a rebuttal piece to Is There a Maturity Link Between Software Security Assurance, Bug Bounty Programs? (2010-12-16) by @wh1t3rabbit (Rafal Los).] So what you have to ask yourself as an organization is this: Is the money we’re offering as a bug bounty higher in worth than what the black-market is…

  • Matousec’s Vulnerability Value

    [This was originally published on the OSVDB blog.] Since the debate about pay-for-disclosure started, some folks have wondered what vulnerabilities are worth. We’ve seen companies like Verisign/iDefense and Tipping Point/ZDI offer serious money for vulnerabilities in the past. Adding to the mix, matousec.com has published a purchase page with prices of some of their vulnerability…

  • Vulnerability Purchasing

    [This was originally published on the OSVDB blog.] Several years ago, iDefense started purchasing vulnerabilities from freelance researchers, and created its Vulnerability Contributor Program. Find a vulnerability, disclose it to iDefense under mutual NDA, and they would act as a mediator between you and the vendor for disclosure. After a patch was available, iDefense releases…

  • Zero Day Vulnerabilities – Sell Your Soul?

    [This was originally published on the OSVDB blog.] There have been several Vulnerability Sharing Clubs (VSC) in the past including iDefense, Immunity and others. For those who question this business model, consider Verisign just purchased iDefense for US $40 million. Still not a believer? Consider 3Com/TippingPoint is now offering a new VSC called the Zero…