Well nothing new, except that I am preparing for two presentations related to bug bounties for CzechTest and Good Requirements 2013 . Much harder to present than to test, but I think it’s good to try to do public speaking and share ideas (not only keeping it for yourself ). The presentations are not intended for experts in security, but is an introduction for software testers.
Another tip related to security bounties and hall of fame, is to try send anything, because good companies are appreciating the effort even if you send something out of scope.
I heard Nokia gives a smartphone for useful bugs so you can try that too.
Again, I still promote bug bounties to testers. I think testers have the reflex to send useful security issues, even if they are not too familiar with security.
It’s still nice to be a bug hunter even if there are “colder” periods.
Lots of good testers don’t have that high of income and I think 500$ per bug is worthwhile for spending a few hours in many countries.
If it’s called “security” that should not be intimidating. It’s a lot about creativity and not that much technical.
I wish I would have known few years ago about bug bounties, but it’s not too late anyway, so that’s why I am sharing and promoting this idea.
In testing there are not too many consultants to popularize it, for various reasons: relatively new thing this bug bounty idea, known consultants are not that technical, seeing the field too separate than it should be etc.
But I think it’s much better than to just be part of a blame culture at your workplace and maybe you can give it a thought.
Security testing is something usually on the edge for some testers: it's weird, looks like something totally different and seems out of reach.
But in another way all testing is like this. Sometimes you need to know the business logic of the product better. Or you need training for some areas. Or maybe you need to learn a tool. Or you need to do something you are not very familiar with.
Compared to other testing, there is an advantage to it: there are public programs that give rewards. You can try to test your skills in the area and if you are successful you get something in return.
I will list a couple of them, even if I am not totally familiar with how they operate, but you can try it an tell me.
You can check their details here http://www.google.com/about/company/rewardprogram.html
Seems quite legit and it pays decent. Possible issues here is the fact that is a very known platform and before you find something chances are that you might not be the first one. On the other hand it's a big platform so the area is large enough.
It's very known and again it's similar to Google's: hard to be the first one that finds something useful. They seem to replay fast to whatever you send them.
Check it here http://www.mozilla.org/security/bug-bounty.html
Again a platform that seems more trustworthy. Like Google (Chromium) most issues seem to be rewarded higher for the browser (Firefox)
It is currently on hold but it might be resumed. It's not a platform like the "big three" listed above so you have to check it for yourselves.
http://secunia.com/community/research/svcrp/ for more info
They seem like a 3rd party service. You send vulnerabilities to them for validation.
See here http://piwik.org/security/
It seems ok, but again, like for the other ones above you have to try it for yourselves.
This looks interesting and very legit
See here https://www.samsungbugbounty.com/
I am pretty sure there are plenty more. If you know about other programs pls post it in the comments, especially if you took the reward. Some companies would probably be happy if you send them vulnerability issues even if they don't have a program. But in this case it's quite risky, because they could accuse you of bad intentions.
So there are plenty of opportunities for white hats there. I am quite amazed myself in writing this post on how many companies I can find.
But for getting the actual reward it's a long way. Best way to validate a program is by hearing from happy ones that got rewarded