One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1273810 |
| Date de publication | 2019-08-20 13:00:00 (vue: 2019-08-20 16:02:26) |
| Titre | How Bug Bounty programs work |
| Texte |
With cybercrime on the rise, companies are always looking for new ways to ensure they are protected. What better way to beat the hackers than to have those same hackers work FOR you. Over the past few years, corporations have turned to Bug Bounty programs as an alternative way to discover software and configuration errors that would’ve otherwise slipped through the cracks. These programs add another layer of defense, allowing corporations to resolve the bugs before the general public is made aware or harmed by the bugs.
Bug Bounty programs allow white-hat hackers and security researchers to find vulnerabilities within a corporation’s (approved) ecosystem and are provided recognition and/or monetary reward for disclosing them. For the corporation, this is a cost-effective way to have continuous testing, and when a vulnerability is found, the monetary reward can still be significantly less than a traditional pen test.
Hunter & Ready started the first known bug bounty program in 1983, adopting the motto “Get a bug if you find a bug”; Anyone who found a vulnerability would receive a Volkswagen Beetle. In 1995, Netscape Communications Corporation coined the phrase ‘Bug Bounty’ when they launched a program, which offered rewards to anyone who could find flaws in their Netscape Navigator 2.0 Beta.
The idea of a bug bounty program didn’t immediately take off. It took Google launching their program in 2010 to really kickstart the trend, but according to HackerOne, by the end of 2018, over 100,000 total vulnerabilities have been submitted and $42 million has been paid out. In 2018 alone, an estimated $19 million was rewarded, which is more than all of the previous years combined. The vulnerability that was reported the most was cross-site scripting, followed by improper authentication, with a high number of big payouts recorded in the financial services and insurance sectors and information disclosure vulnerabilities rounds out the top three, with most of these bugs being reported in the electronics and semiconductor industry.
Today, about 6% of the Forbes 2000 global companies have Bug Bounty programs, including companies like Facebook, United Airlines, and AT&T. AT&T was the first telecommunication company to announce the launch of their program in 2012. AT&T’s Bug Bounty program has a fairly wide scope, allowing almost any vulnerability found within their environment to be eligible for a reward. As other telecommunication companies started their program, AT&T was used as a resource to provide insight on what works well and what doesn’t.
While there are hundreds of bug bounty programs, no two programs are exactly alike. There has been a big shift away from internally managing these programs to outsourcing to third parties. Although these programs are most talked about in the technology industry, organizations of all sizes and industries have started having Bug Bounty programs, including political entities.
Both the European Union and the US Department of Defense have launched programs in recent years. The EU launched their program in January 2019, inviting ethical hackers to find vulnerabilities in 15 open source projects that the EU institutions rely on, providing a 20% bonus if the hacker |
| Envoyé | Oui |
| Condensat | $100 $19 $42 $75 “get ‘bug ‘hack while 000 041 100 138 1983 1995 2000 2010 2012 2016 2017 2018 2019 2020 about according add adopting airlines alike all allow allowing almost alone alternative although always and/or announce another anticipated any anyone approved are at&t at&t’s authentication available average avoid aware away beat become been beetle before being beta better big bonus both bounty bounty’ breach bug bug”; bugs but bypass can coined combined communications companies company configuration continue continuous corporation corporation’s corporations cost could cracks critical cross cybercrime defense department depending didn’t digital disclosing disclosure discover dod doesn’t dollars earnings ecosystem effective electronics eligible end ensure entities environment errors estimated ethical european exactly exploitable facebook facing factor fairly financial find first flaws followed forbes found from general get global google government great greatly hacker hackerone hackers harmed has hat have having high higher highest how hundred hundreds hunter idea immediately improper including increased industries industry information insight institutions insurance internally inviting it’s january kickstart known launch launched launching layer less like looking lucrative made managing mfa million monetary more most motto multi navigator netscape new number off offered one open option options organizations other otherwise out outsourcing over paid parties past paying payout payouts pen pentagon’ phrase political previous program programs projects protected provide provided provides providing public range reached reaching ready really receive recent recognition recorded rely reported researcher researchers resolve resource reward rewarded rewarding rewards rise rounds same scope scripting sectors security semiconductor services shift significantly site sites sizes slipped smarter software solution source started submitted take talked team technology telecommunication test testing than them these third those thousand three through today took top total traditional trend turned two type typically union united used utilize vary volkswagen vulnerabilities vulnerability way ways well what when which white who wide will within work works would would’ve years |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.