HackerOne has expanded the Internet Bug Bounty project to bolster overall open source security.
Open source projects, ran by individuals and teams of developers worldwide, are relied upon by everything from enterprise players to SMBs.
Open source components are stored and shared publicly, and can range from full operating systems to libraries, educational tools, and server software, among many other functions.
In a recent survey, the Linux Foundation and edX found that the demand for open source programmers and experts continues to climb, but 92% of managers are facing challenges when it comes to finding the talent required to fill current job postings.
With a shortage already in place, and many open source projects fuelled by developers who are not being paid for their efforts, sometimes, security issues can slip through the net. In 2020, GitHub research suggested that on average, it can take up to four years to discover open source vulnerabilties — 83% of which are caused by mistakes and human error.
As a result, the code repository said there are “clear opportunities to improve vulnerability detection” in the open source space.
It’s not just about detection, however; vulnerability fixes need to be developed and safely applied, too.
This is where the Internet Bug Bounty (IBB) project comes in. Now managed by HackerOne, IBB is described as a project to “pool funding and incentivize security researchers to report vulnerabilities within open source software.”
A new funding model has now been introduced, with participating patterns including Elastic, TikTok, Shopify, and Facebook.
There are three major changes: HackerOne clients will now be given the option to pool between 1% and 10% of their existing spend to the open source project — of which they may be using components in scope — and bounties will now be divided between hackers and maintainers with an 80/20 split.
“Since open source software maintainers volunteer to help remediate vulnerabilities that are discovered, the bounty split ensures payment for every stakeholder that contributes to vulnerability management,” HackerOne says.
The third change is a streamlined procedure for vulnerability report submission.
Since its launch in 2013, over 1,000 vulnerabilities have been reported, with close to 300 bug bounty hunters earning financial awards totaling approximately $900,000.
Projects currently in scope include Ruby, Node.js, Python, Django, and Curl, with more options set to be opened in the future.
“Recent cyberattacks against software supply chains demonstrate the urgency of securing these organizational blind spots. And open source software represents a growing portion of the world’s critical supply chain attack surfaces,” said Alex Rice, CTO and co-founder of HackerOne. “The new IBB empowers organizations that are beneficiaries of open source to play an active role in collectively building a more secure digital infrastructure for everyone.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0