Bug bounty programs have become an invaluable channel for the disclosure and remediation of vulnerabilities, but like any industry, they come with their own set of problems.
Bug bounty platforms, such as those operated by HackerOne and Bugcrowd, work with individual companies to launch and manage programs for external researchers to responsibility report vulnerabilities in software and online services.
It was once common practice that vulnerability reports were made piecemeal; it may have been through a generic email or by telephone, and some organizations would be spooked by bug reports or would respond negatively.
This is still the case in some circles, where fear, a lack of concern, or a lack of education can cause a backlash. Emails sent to DK-Lok by ZDNet warning them of an unsecured server were simply sent to the trash bin (viewable as the server was open), and Coalfire researchers were arrested by US law enforcement while conducting a penetration test the court system had requested.
In addition, who could forget Missouri Governor Mike Parson, who branded a journalist a “hacker” for viewing website HTML and reporting a serious data breach impacting the state’s educators.
Official bug bounty programs can