Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday April 07 2020, @07:29AM   Printer-friendly
from the shush-your-mouth dept.

Arthur T Knackerbracket has found the following story:

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "perversion."

Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.

"Bug bounties are best when transparent and open. The more you try to close them down and place NDAs on them, the less effective they are, the more they become about marketing rather than security," Robert Graham of Errata Security tells CSO.

Leitschuh, the Zoom bug finder, agrees. "This is part of the problem with the bug bounty platforms as they are right now. They aren't holding companies to a 90-day disclosure deadline," he says. "A lot of these programs are structured on this idea of non-disclosure. What I end up feeling like is that they are trying to buy researcher silence."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by looorg on Tuesday April 07 2020, @10:30AM

    by looorg (578) on Tuesday April 07 2020, @10:30AM (#979932)

    This is not really a surprise is it? That they pay for the bughunters not to say anything. After all that is cheaper then the class action lawsuit due to their massive software failures. That said I do wonder if this, the bug bounties, and competitions like pwn2own etc are not also some kind of catch mechanics. Bugs might be found but they don't get disclosed until the bounty is worth it, as in they find them but hold on to them until they are actually worth something or they believe that the risk is to great that someone else will have found it to.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2