[EN] What Is Bug Bounty?

[EN] What Is Bug Bounty?

What is Bug Bounty?

Bug bounty program is a cyber security program initiated by institutions or organizations to have their software tested and fixed. People who test vulnerabilities and report them are called bug hunters. Bug hunters are rewarded for their contribution. Although it is not common in Turkey, in foreign countries many institutions and organizations have their own bug bounty program. There are two kinds of bug bounty: private which allows certain people that were invited to test specifically and public which everyone is welcome to test.

Why Bug Bounty?

-First, let’s look at the companies’ point of view. The main reason why companies initiate bug bounty programs is the “much work, less cost” policy. With the bug bounty program, system gets tested by hundreds of people and company uses less resources compared to collaborating with a security firm.

– Now let’s answer the question from the cyber security researchers’ point of view. Across the globe thousands of people take part in bug bounty programs and report the bugs they find. As a result, a lot of them get paid in cash whilst some get rewarded with t-shirts, stickers, bag, etc. While bug bounty programs provide income for its testers, it also provides tester to develop their skills in a legal way. The last part is particularly important because pentesting a site without permission is accepted as a crime around the globe. Also cyber security researchers get to test their skills in a natural, real world conditions.

What are the Most Preferred Bug Bounty Platforms?

– HackerOne

– BugCrowd

– Intigriti

– Cobalt

– Synack

What are the states of a Bug Bounty Report?

– Pre-Submission: When your report is flagged as “pre-submission”, your report gets revised by an employee of the bug bounty platform before it gets sent to the company.

– New: If your report hasn’t been read, it shows as “new”.

– Triaged: It means that the report has been read but the problem is yet to be resolved.

– Re-Testing: Sometimes when the bug is fixed, the company might ask you to test again. In that case your report shows as “re-testing”.

– Need More Info: When your report is insufficent, it shows as “need more info”. Absent part of your report must be identified by security professionals.

– Resolved: Your report is understandable and the problem has been solved.

– Informative: Your report contains useful information but doesn’t pose a risk, it shows as “informative”.

– Duplicate: It means that someone has already submitted that particular bug that you reported.

– Not-Applicable: When your bug doesn’t pose a threat or is out of the scope of the program, it shows as “not-applicable”.

Bug Hunters to follow:

– @fransrosen

– @avlidienbrunn

– @thedawgyg

– @smiegles

– @jobertabma

– @stokfredrik

– @gerben_javado

– @NahamSec

– @emgeekboy

– @EdOverFlow

– @NathOnSecurity

Related Posts

Facebook Comments