Volunteer Dutch flaw finders bag $100k to forward national bug bounty goal
Huntress Labs tips some loose change into vuln-spotters' cup
The Dutch Initiative for Vulnerability Disclosure has scored $100k towards its founder's hope of a nationwide bug bounty available for anything at all.
The DIVD's $100k cash injection is from infosec outfit Huntress Labs and is part of a grand vision aimed at discouraging individual researchers from dumping vulns online, the organisation's founder Victor Gevers told The Register.
"Researchers are fed up with bug bounties because things are not in scope or duplicate or not important enough, and then they dump it on Twitter, and then we're the ones that have to run behind that," Gevers said.
You may remember Gevers as the person who discovered that the then-President Donald Trump had left his Twitter account exposed with an easily guessable password - MAGA2020! - and no multifactor authentication in place. The White House denied the reports, but Dutch investigators confirmed the findings and decided not to prosecute. After all Gevers is a well-known white hat hacker of over 20 years experience.
In a blog post, Huntress said it wanted to help different types of organisations "better secure and support the 99 per cent," of companies out there that are classified as SMEs. Huntress bagged $40m in Series B funding last year.
Of DIVD's $100k, half is going towards the bug bounty programme focusing on tools used by SMEs and MSPs, and the other half on hiring full-time staff.
"We have to start somewhere, right!" the DIVD founder said. "Researchers keep finding things that are like 'oh, yeah, this is what a 15 year old with a standard web scanner can find' at organizations that are responsible for MSPs' software certificates… it's becoming a little bit worrisome."
Similar initiatives have been knocking around for a few years, including an EU-funded one that spotted a "game over" vuln in the PuTTY SSH client in 2019. That one find alone, however, paid out $17,500: if DIVD bug bounty claimants spot three similar things, the bounty fund might run out pretty quickly.
Huntress acknowledged this, saying: "We need others to join in."
Larger crowdsourced bug bounty firms such as HackerOne, BugCrowd, and France's YesWeHack do very similar things – although those are funded by the vendors who feature on those platforms.
Speaking in more general terms about the future of DIVD, Gevers mused about launching "an independent platform, where security researchers can drop their zero days because they're fed up with a certain vendor who doesn't take care of that, or doesn't give them the right credit, or doesn't give the right urgency" towards fixing vulns.
- Facebook expands bug bounty program to include scraping attacks, two years after it was scraped – hard
- Twitch increases bug bounty payouts after source code leak by... wait, is that it?
- Singapore adds a third bug bounty program – this time to fortify government digital services
- Compsci student walks off with $50,000 after bug bounty report blows gaping hole in Shopify software repos
The Dutch government has long enjoyed notoriety for its "I hacked the Dutch government and all I got was this lousy T-shirt" swag (which, in fairness, are delivered with a letter confirming what they were awarded for, so the T-shirt is technically incorrect).
Gevers reckoned this sort of thing is a neat starting point that runs in parallel with police-backed youth criminality diversion schemes, similar to how first-time cyber naughtiness gets British teens sent to similar programmes intended to set them on the path to a meaningful career instead of prison.
Yet for a proper diversion to prevent younger folk from dumping proof-of-concepts online and other nefarious activities requires money, concluded the DIVD chief.
The other thing with bug bounties is that while occasionally there are big payouts, you won't be making a living off it for very long. ®