Security News > 2020 > April > Bug Bounty Programs Are Being Used to Buy Silence

Bug Bounty Programs Are Being Used to Buy Silence
2020-04-03 11:21

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny.

CSO's investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple expert sources, including HackerOne's former chief policy officer, Katie Moussouris, call a "Perversion."

Silence is the commodity the market appears to be demanding, and the bug bounty platforms have pivoted to sell what willing buyers want to pay for.

The bug bounty platforms' NDAs prohibit even mentioning the existence of a private bug bounty.

The carrot for researcher silence is the money - bounties can range from a few hundred to tens of thousands of dollars - but the stick to enforce silence is "Safe harbor," an organization's public promise not to sue or criminally prosecute a security researcher attempting to report a bug in good faith.


News URL

https://www.schneier.com/blog/archives/2020/04/bug_bounty_prog.html

Related news