Blog Banner


Participating in bug bounties is a very popular way for hackers to contribute to an organizations’ security and earn a few bucks off it. Organizations announce bounty programs to invite hackers to test and hack their online assets, this helps in the improvement of their systems through a crowdsourced model.

Ever thought of securing open-source software? Is it worth it? Let us understand it through this blog!

Contents

Bug bounty & Open Source

Bug bounty hunting is a popular way of securing websites, mobile applications, and other assets. It’s a great way to get real-world experience by hacking into applications of huge companies, millions of users rely upon the applications we can secure through participating in bug bounties.

It’s no secret that people love open-source, organizations do too and open-source bug bounty is overlooked a lot of times. We all rely upon different open-source projects such as packages for our private programs, tools and scripts, frameworks, and other different kinds of software.

Organizations use open-source cause it provides cost-effective solutions. It’s easier and with the modern agile development practices, developers aim towards shortening the software release cycle.

Is Open Source Reliable?

Open-source is reliable because of the flexibility, speed, cost-effectiveness, and some other advantages. The problem is that open-source security is often overlooked. People are looking for bugs and reporting to the maintainers but there isn’t usually a formal procedure to maintain such security reports. Security testing is often ignored in the development stages just for releasing the software early or due to lack of resources.

Security in open-source packages and projects needs more attention, many organizations and millions of people use such software with no knowledge of any potential security vulnerabilities in the software they’re using.

How to start with open source bug bounty?

There are multiple ways of securing and contributing to the security of open-source projects.

  • Security Policy: There are repositories of open-source software where you can find SECURITY.md that is usually there for security researchers. It contains the information you need to disclose any security vulnerabilities found in the software.
    Example - https://github.com/TryGhost/Ghost/blob/main/SECURITY.md

  • HackerOne: Some famous open-source projects have bug bounty programs on Hackerone, some examples are Django, Discourse, Brave, etc.

Bounties rewards on disclosing vulnerabilities to open-source projects are fair on HackerOne, and it depends upon the severity of a vulnerability. According to the HackerOne statistics of “Ruby on Rails”, a total of 36,250 USD has been paid to the hackers as of now.

ror-stats

HackerOne is just one platform but there are many other ways of disclosing vulnerabilities found in an open-source project. One of the other ways is huntr.dev

  • Huntr.dev: Huntr.dev is a great way of contributing to open-source from a security aspect. Let’s understand how it works:

What is huntr.dev?

Huntr.dev is a great company that offers money for finding and fixing security vulnerabilities in an open source project.

The best part of huntr is that they accept reports of literally any open-source project out there! The scope is limitless!

Limitless Scope

Security through huntr.dev has 2 stages, disclosure and fixing.

Stage 1: A hacker finds a vulnerability in a project such as npm or Python package then discloses it through the disclosure form here - https://www.huntr.dev/bounties/disclose

The disclosure is made public for anyone to read here - https://www.huntr.dev/bounties

Example:

https://www.huntr.dev/bounties/1-npm-@carbon/charts-angular

Stage 2: A person reads a vulnerability report and finds a fix to it then creates a pull request, we have an option to create a PR through the get started menu.

Get Started Menu

Now the question arises that do we get paid for disclosing or fixing?

Yes! Huntr.dev pays $40 for a disclosure and $40 for a fix. For some people, it might not be enough but huntr has limitless scope, they pay for every accepted/merged fix regardless of what project you’re securing.

For open-source developers, it’s hard to maintain free software and also reward hackers for finding bugs, huntr to the rescue!

According to huntr, 90% of their users got their first CVE! Getting a CVE is quite an achievement and I believe the huntr community and their platform is good for anyone looking forward to their first open-source contribution in terms of security. It also gives us a great experience of code review and finding creative solutions to a problem.

I highly suggest bug bounty hunters to become a huntr and give this platform a try ;)

Conclusion

Open-source software is dominating various industries. The open-source world also has many chains of different projects linked together into various kinds of software that are providing value on a whole new level. Open-source security is a need of the hour. We can responsibly act upon reviewing and securing important software and make it better for millions of people and organizations.

It also serves as a guide to learning code reviewing and getting indulged with the great developer/hacker community.


I hope you enjoyed this blog and are excited to contribute to the security of open-source software! Feel free to message me on my socials for feedback/suggestions. Contact Me

Thank you for reading!

Back to Top