Stay Ahead With Linux Security Features
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
security advisory Red Hat Researchers investigating a campaign now tracked as Miasma found that more than 30 packages in Red Hat's @redhat-cloud-services npm namespace had been altered to deliver credential-stealing malware. . The packages weren't being used to deploy ransomware or sabotage systems. From what has been reported so far, the objective appears to have been much simpler: collect credentials from developer environments and use that access elsewhere. GitHub tokens, cloud credentials, SSH keys, and other...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -2 articles for you...
102
security auditssecurity challengesbug bountyOpen Source Security: Addressing Challenges and Embracing Benefits
Open-source software (OSS) adoption has increased dramatically over recent years due to its flexibility and cost-cutting benefits, but whether or not OSS is completely safe is often controversial. Due to its open and collaborative nature, this type of software presents unique advantages and security challenges. . In this article, we will explore both sides of OSS security: its notable advantages and potential drawbacks. We will examine real-life examples of security problems faced by OSS projects and proactive measures being implemented to enhance their protection. By considering both sides, our objective is to give developers and Linux administrators a more holistic understanding of the risks and rewards associated with Open Source. Let's begin by examining some advantages and challenges of adopting OSS. Overview & History of Open-Source Security Open source software (OSS) has long been an essential element of the digital ecosystem, providing transparency and collaborative development to enhance software quality and security. Open Source has its roots in computing history since 1985 when Richard Stallman established the Free Software Foundation and the subsequent creation of the GNU General Public License . Transparency of source code permits thorough security audits by the global community, speeding up the identification and resolution of vulnerabilities faster than closed-source models. Community involvement has increased the adoption of open-source software (OSS) solutions within enterprise environments. Security has always been at the core of open-source software adoption. By permitting anyone to inspect, modify, and improve source code directly, open-source projects utilize global developer communities as an invaluable resource to quickly detect bugs and vulnerabilities in their source code. Open auditing increases trustworthiness and effectiveness in security measures employed by widely used software such as OpenSSL, Linux, and Apache HTTP Server. Open Source also facilitatesfaster responses to security threats, as evidenced by prompt patches and updates in response to exploits. This proactive approach starkly contrasts with proprietary software, where vulnerabilities often remain concealed for far longer. Furthermore, Open Source provides an effective defense strategy against security risks by harnessing its user base's collective knowledge to build robust and resilient systems. Pros of Open-Source Software (OSS) Open Source Software (OSS) offers numerous advantages, making it a popular choice among developers and users. By adhering to principles like transparency, community participation, and adaptability, OSS creates an environment where software can become more secure, resilient, and tailored precisely to its diverse user base. Pro: Anyone May Access and Implement This Code One of the key advantages of open source software (OSS) is its readily accessible source code. However, this opens it up for anyone to inspect. While this allows potential hackers to examine it for vulnerabilities quickly, this transparency enables engineers and developers worldwide to identify and address them swiftly. Hackers often discover vulnerabilities before company engineers do. Conversely, many eyes on open-source software often expedite the detection of security flaws faster. Community-driven monitoring ensures that vulnerabilities are patched quickly. Companies like Mozilla have taken full advantage of this by opening up their source code to community scrutiny. Linus's Law states, "Given enough eyeballs, all bugs are shallow." This phenomenon illustrates one key security advantage of open-source software (OSS). It indicates how openness and transparency allow a large community of developers and users to quickly analyze code, identify vulnerabilities, and provide patches more rapidly than proprietary systems. This collective review process further enhances the security posture of OSS, as bugs are usually caught and fixed faster than bugs in proprietary code. This phenomenonprotects widely used projects like Linux, Apache, and OpenSSL from exploits. Closed-source software takes a "security by obscurity" approach that relies on concealing its source code from public view in the belief that keeping it hidden reduces vulnerabilities from being discovered by malicious actors; however, this method relies heavily on internal teams identifying and patching issues, leaving software exposed and vulnerable. While security by obscurity provides some level of defense through concealment, critics have frequently noted it gives a false sense of security without the community validation that is vital to open source projects' resilience. Pro: Community Participation and Collaboration Open-source software thrives within a collaborative ecosystem where users can provide feedback on fixes, improvements, and new features - an aspect of software development unparalleled in proprietary systems. Mozilla Firefox, an open-source web browser, derives excellent value from its community. Users are encouraged to report bugs, suggest added features, or contribute code directly. Such collaboration helps develop more secure software as users are incentivized to keep it as safe and functional as possible. Pro: Transparency Protects from Malicious Code Hidden Within Frameworks Another significant advantage of open source software (OSS) is that it prevents malicious code from being hidden within software applications. Since all code is readily available for inspection, harmful elements will likely not go undetected and cause harm. With proprietary software, companies have been caught misusing user data. For instance, even when Incognito mode was active, Google was recently exposed for collecting Chrome browsing data. Such practices are difficult to hide when dealing with open-source software, making it more trustworthy. Furthermore, its transparency ensures users understand exactly what their software does, while experts can audit its code for any potentially illicit activities. Pro: Forkingis Used to Rescue Abandoned Projects Software abandonment is a perennial problem. Developers may stop updating and maintaining their programs due to various circumstances. With Open source, "forking" comes to the rescue: taking an existing project and altering it in some way to form new opportunities. LibreOffice was forked from OpenOffice and continues to thrive today. Forking ensures that even if its original developers leave behind an abandoned project, its community can maintain and improve it while addressing security vulnerabilities. Pro: Independent of Any One Company OSS does not depend on a single entity. In contrast, proprietary software relies on an organization, and users who stop receiving support may find themselves without options. With Open Source, even if its original creators abandon their project, the community can take over and continue developing it. LineageOS is an operating system that extends the lifespan of Android devices by offering security updates even after their manufacturer has discontinued support, thus assuring users continue receiving security patches and updates. Cons of Open-Source Software Open Source Software (OSS) offers many advantages, yet it can also have drawbacks that threaten its sustainability and security. Limited resources and community support may hinder OSS' consistency and reliability compared to its proprietary alternatives. Con: Limited Resources While open-source communities are vibrant and vital, many operate with limited resources. Many developers and maintainers work for free out of passion rather than profit. Research indicates that 60% of OSS creators and maintainers are unpaid, and many considered quitting due to financial pressures. Limited funding can negatively impact security updates without adequate resources to maintain and secure open-source software in parallel with proprietary products from well-funded corporations. Con: Risk of Abandonment Though forking provides an escape hatch, project abandonmentremains a real danger. Not all open-source projects can attract enough of a community capable of revitalizing or maintaining them. Smaller projects, particularly, may become obsolete if their original developers lose interest or time supporting them. Abandonment can leave security vulnerabilities unpatched, creating a considerable threat for users who rely on these smaller open-source projects. Con: Dependence on Community for Security OSS security relies heavily on community engagement. While larger communities can help identify and address security issues more quickly, smaller projects or those with lesser appeal might not receive as much consideration, leaving potential vulnerabilities unchecked and the software vulnerable to possible attacks. Examples of Security Concerns in Open-Source Software Although open-source security offers many advantages, it still has vulnerabilities that should be managed carefully. Perhaps most infamously, the Heartbleed bug in the OpenSSL cryptographic library affected millions of systems worldwide for two years before its discovery. Shellshock , a series of security bugs in the Unix Bash shell, also revealed the risks associated with open-source software. Both incidents highlighted how vulnerabilities exist despite the software's open nature. The Critical Role of Responsible Management in Open-Source Security The secure management of open-source projects is crucial for Linux admins and developers. Proactive strategies help reduce risks associated with known vulnerabilities or exploits in OSS. One essential practice is regularly reviewing and applying security patches and updates . Open-source projects benefit from global community vigilance, and updates for vulnerabilities typically become available quickly. Still, timely implementation of patches is vital to ensure systems don't become vulnerable to attacks leading to compromise. Automated tools such as Ansible or Puppet can make this process faster and provide consistent and efficientdeployment of security updates across multiple systems. Regular security audits and vulnerability assessments using tools like OpenVAS or Nessus are also vital to keeping systems secure. They can assist in rapidly detecting vulnerabilities that exist within your systems. Another crucial best practice involves employing role-based access control (RBAC) and adhering to the least privilege (PoLP) principle to limit access to critical components and data. Proper configuration management and inventorying of all open-source components within your environment is key to providing oversight and quickly responding to emerging security threats. You can increase open-source infrastructures' security posture and resilience by embedding these practices into daily operations. Measures & Initiatives Being Taken to Increase Open-Source Software Security Several measures have now often been implemented to strengthen open-source software security. One such measure is regular security audits experts conduct to detect and mitigate vulnerabilities before hackers can exploit them. Furthermore, bug bounty programs incentivize community members to find security issues by offering financial rewards. Popular projects such as Mozilla Firefox and Linux have utilized bug bounty programs effectively to address numerous security problems. Integrated code review processes are another effective strategy. They employ multiple experts to examine each contribution before it is merged, ensuring higher code quality and security. Automated testing frameworks further boost this effort, running thorough security checks on every code change to detect potential vulnerabilities early. Continuous Integration/Continuous Deployment (CI/CD) pipelines also strengthen open-source software security by continually testing and deploying code without the risk of introducing new vulnerabilities into development pipelines. Ongoing education and security training for developers and the community also play an integral role in strengthening thesecurity of open-source software. Many open-source communities offer regular training sessions, webinars, and workshops on secure coding practices to keep users up-to-date. By educating our users on best security practices, we can strengthen the overall security posture of open-source software. Financial support is also crucial to protecting open-source software projects. Initiatives by the Open Source Security Foundation (OpenSSF) offer resources that help maintain and improve open-source security projects. Corporate sponsorships and grants allow developers to devote more resources to improving software security. Our Final Thoughts on the Benefits & Drawbacks of Open-Source Software Open-source software presents both unique advantages and challenges when it comes to security. The openness and transparency of open-source projects play a crucial role in their protection by swiftly identifying vulnerabilities. Unfortunately, other issues, such as limited resources, risk of abandonment, and community support, cannot be ignored when considering security. Although OSS security incidents remain a significant threat, ongoing efforts such as regular code audits, bug bounty programs, automated testing, educational initiatives, and better funding are considerably improving. Furthermore, its collaborative nature continues to transform the landscape, making OSS an attractive and increasingly secure choice for developers and end-users. When managed and supported correctly, open-source software can provide a safe and dependable option, embodying its collaborative spirit at its core. In your opinion, do the security benefits of OSS outweigh the risks? Connect with us @lnxsec and share your thoughts! . Open Source Software security offers transparency and community support but poses challenges like inconsistent quality and compliance risks. Proactive measures boost safety.. Open Source Security, Community Engagement, Bug Bounty Programs, Security Audits, Proactive Measures. . Brittany Day
Dec 04, 2024
•
102
security measuressecurity riskvulnerability managementExploring Open-Source Security Risks And Improving Software Safety
While allowing public access to the sensitive behind-the-scenes operation of a program sounds risky, open-source software actually has the potential to be even more secure than a program with hidden code. However, as with any type of software, vulnerabilities still exist and can present a serious security risk if they remain unidentified and unpatched. . Open-source is software with publicly accessible code that anyone can view and contribute to, and forms the foundation of the Internet we use today. The popularity of open-source code is rising–not only are more programs using open-source code but a larger portion of the average software comes from open-source resources than ever. Today, open-source code can be found in virtually every application we use online, and open-source development is the focus of many of the world’s largest companies. In order to ensure our data online is secure, we must first make sure that the technology that provides this capability is secure. This article will explore the security risks that bugs in open-source software pose and measures that are being taken to secure open-source software against vulnerabilities and exploits. A Brief History of Open-Source Software Open Source first became mainstream in the 1990s thanks to the creation of Linux and the publication of the source code of the Netscape Communicator Internet suite. While the development of software has always been collaborative, the spread of open-source software represented a new step in the collaboration that is necessary for large scale software development. By allowing anyone to view, modify, and borrow from their code, developers can let anyone improve and contribute to their ideas. Security-wise, open source code means that bugs and security flaws no longer sit unnoticed until they are exploited—anyone can find, report, or fix mistakes. Vulnerabilities in Open-Source Software Pose a Great Security Risk As open source software and libraries become a bigger part of the code used for theinfrastructure of the technology that society relies upon, it is essential that open source code is properly checked for security issues. While most exploits are patched before they are taken advantage of, there have been attacks on open-source software in the past, such as the event-stream attack, in which a programmer purposely added malware to the popular event-stream Node.js library. One recent example of a major bug in open-source software is an exploit found in Log4j , an open-source library used by countless programs to log the actions that they perform. The exploit, known as Log4Shell, made it possible for attackers to execute malicious code in software that used Log4j. Because so many programs use the Log4j library, the potential for damage using the exploit was more widespread than if every program had its own unique logging code. Even though open-source software is not inherently more secure and is susceptible to larger scale attacks because of its widespread use, it has a great potential to be infinitely more secure than closed source programs because it allows anyone to contribute to its code and for users to fix bugs that they find. Because libraries like Log4j are so heavily reliant on unpaid volunteers to maintain, they often do not get enough attention relative to their importance. It has been recognized by security experts for some time that the widespread use of outdated open-source software is becoming a national security risk; however, due to Log4Shell, more people are becoming aware of the flaws of open source and the importance of only using up to date and secure open source projects. Since the log4j incident, developers and security researchers have been emphasizing the need for greater security in open-source software more than ever. Measures Are Being Taken to Improve the Security of Open-Source Software One way that open source-security is being promoted is through bug bounties . Bug bounties are a system in which organizations offer incentives forreporting bugs in their software. Bug bounties are not simply a lazy way for companies to test their code for bugs; as the scale of software grows and code gets more complex over time, bug bounties allow smaller teams to make bigger programs without sacrificing security. Additionally, it allows users to report bugs before they are taken advantage of. One bug bounty program is Open Bug Bounty, a website created in 2014 as a way to allow users to submit bugs they find using non-intrusive methods, which are then reported to the company. Over 800,000 vulnerabilities have been patched thanks to Open Bug Bounty. Another way open source is becoming more secure is sponsorship. According to Kent Walker, the President of Global Affairs at Google and Alphabet, one of the biggest flaws of open-source software is that there is “no official resource allocation and few formal requirements or standards” for its maintenance. Because open-source software is a fundamental part of so many companies– some estimates say that almost all commercial programs use open source code– organizations have begun to sponsor open-source development as a way to support the development and maintenance of the open-source code that they use. Dozens of companies recently committed $30 million dollars to fund The Open Source Software Security Mobilization Plan’s 10 step plan to improve the security of open-source software. Additionally, programs like GitHub Sponsors allow users to pay developers of open-source projects hosted on GitHub, one of the largest resources for open-source code. In addition to the measures being taken to check open source code for bugs, steps are being taken to better prevent errors. Organizations like OpenSSF, the Open Source Security Foundation, are attempting to rectify the lack of standards for open-source maintenance. In addition to hosting courses that teach secure development, OSSFs goal is to enhance the security of open-source projects by creating standards and training foropen-source software. After the Log4j incident, the government has also increased their role in the security of open-source software. The White House recently held a summit to discuss ways to improve the security of open source software, and President Biden signed an executive order recommending the writing of software bills of materials, or SBOMs. SBOMs are documents that list everything that a program uses as part of its supply chain in order to make the program easier to keep secure. For example, an SBOM might list what version of a programming language a software is written in, what libraries it uses, and what open source code it borrows from. This way, if an exploit is found in any of those individual components that could compromise the software, the software can be quickly updated. Some resources for staying up to date on software security include: LinuxSecurity Advisories NIST National Vulnerability Database CISA Known Exploited Vulnerabilities Catalog CERT Vulnerability Notes Database Final Thoughts As Open Source becomes a bigger part of software development, measures should be taken in order to improve the security of open-source projects. Software scanning tools can help analyze code for exploits and bugs in open source components that it uses. Additionally, average users can help keep open-source projects secure by contributing to code or bug bounties. It is also important to stay up to date on the latest exploits, something made easier with an SBOM. Ultimately, while open-source software has had security issues, it can be even more secure than closed source code when properly reviewed, and the growth of open-source software means greater potential for secure software. . Explore the journey of open-source software security, the challenges encountered, and tactics to protect both users and developers.. Open-Source Software Security, Security Measures, Vulnerability Management, Bug Bounty Programs, Software Development. . Yosef Davidowitz
May 31, 2022
•
102
open sourcesoftware developmentsecurity testingBenefits and Operations of Bug Bounty Programs for Open Source Security
Ethical hacking might sound contradictory, but leveraging the skills of the ‘white hat’ hacker community has done a great deal for safety and security on the internet. Nowhere does this show more than through so-called bug bounty programs created to tackle different issues within the code. Many bug bounty programs focus on identifying issues within software or applications. However, others focus on server or website vulnerabilities . . The Benefits of Open Source (and Its Primary Challenge) With the rapid development and sustainable iterations, open-source software (OSS) libraries and frameworks have been in massive demand. There are few traditional proprietary software that can match the fast-track development cycle using OSS. Additionally, it helps to pull down costs and reduce the time-to-market cycle by cutting down on time needed for custom coding. Instead, it mines existing OSS, which can be quickly shared, modified, and copied. While proprietary coding is far from dead, OSS now plays a huge role in the market. According to statistics: Both LAMP (Linux, Apache, MySQL, and PHP) and MEAN (MongoDB, Express.js, AngularJS, and Node.js) development stacks have become hugely popular, Android, one of the most popular Linux kernel operating systems on the market, runs on 85% of the world’s smartphones, Linux also powered three quarters of the public cloud workload over the pandemic. Statistics on the use of OpenSource suggest up to 70% of the world’s code databases are drawing on OpenSource. That’s impressive, but that means any risk related to OSS use has become critical to tackle. Open source has never been more important in the software community. The time when a vulnerability could come to light a few years later and be tackled then is long past. A fast, responsive debugging is our critical priority. What Are Bug Bounties & How Do They Work? So, how do we incentivize an unpaid, sharing space that brings the coders no revenue to produce results quickly? Cybercriminals are not going to come forward, after all. While many Linux and Open-Source developers take pride in their development and offer fixes as soon as possible, we can’t expect miracles from a product offered for free and often created in the developer’s spare time. How Do Bug Bounties Work? Bug bounty programs have stepped into this role. You’ll find them throughout the ‘Big Tech’ space, including those from Google, Microsoft, Facebook, and Apple, as well as smaller firms. Bug bounties are programs which pay out to interested parties who find and fix vulnerabilities in open-source code before impacting the platforms using them, adding an additional layer of security to software developed with OSS. Types of Bug Bounty Programs Bug Bounties fall into two categories - Private and Public. Public programs allow anyone who is interested to participate. While some may have specific restrictions based on the participants existing track rec ord or skill level, mostly anyone can report a potential exploit (and fix) to them within the bounty’s guidelines. Some are even offered off of the specific platform, focusing instead on the general body of OS code. Private programs work differently. They’re invite-only programs, choosing hand-picked ethical hackers based on their skill level and existing stats. Typically, invitees have already demonstrated great skill in testing the kind of applications the program is focusing on. While some will evolve to a public-style bug bounty later on, some remain private for their entire lifecycle. Many private programs are also specifically focused on critical coding sections of the platform, intending to boost security and limit vulnerabilities in their product offerings. What Are the Benefits of Bug Bounties? So, the primary benefit of bug bounties is easy to see. They offer a way to financially incentivize researchers to analyze code, report vulnerabilities, and close them before they become an issue. Critically, they also don’t ‘break’the primary value of OSS code - it stays free, shareable, and accessible to any party who needs it. What else do they do? Public Disclosure A more hidden side of the business is incentivizing these white-hat hackers to not publicly disclose what they find until the matter is fixed. This means cybercriminals don’t get an advanced warning of the issue until it’s too late to do anything with that information. Pay for Results Bug bounty programs only pay out when a specific chain of reporting and fixing has been followed. This means they don’t incentivize the wrong people to ‘milk the market’ by creating these issues, nor reward bad behavior - only the ethical hacker who closes, rather than exploits, the vulnerability. Discretion In some private bug bounty programs, you can even hand-pick who you want to invite to ‘hack’ your product, providing greater control and discretion to the market. Of course, a public program can get results faster, but it can also be overwhelmingly difficult to manage for smaller security teams. Continual Testing We’ve emphasized this already, but it bears repeating. Use of a bug bounty program allows programmers and software companies to keep a fresh and vigilant taskforce on the job, meaning that bug loopholes don’t only get identified in Beta, but continuously come to light. This becomes especially helpful as updates and new innovations to older software go live. Vast Body of Testers Even the largest companies cannot employ thousands of testers in-house. They can, however, access them through bug bounty programs. They give access to a huge body of willing testers, continually working to better the software and close dangerous loopholes. Diversity Working in tandem with our previous point, you also remove almost all bias when you run a bug bounty program. Testers come from wildly different backgrounds, skill sets, and walks of life, across all geographical boundaries. This allows a phenomenal testing pool. Scalability Bug bounty programscan be scaled up or down to suit the company. Smaller entities can start gently, but expand their testing if their product gains marketplace traction. You can onboard more expertise at critical times, such as during new updates or product launches, and scale it back when there’s less demand. Expense Despite the need to pay out on successful presentation of a solution, bug bounties typically work out cheaper in the long run than in-house testing. They certainly are cheaper than the loss to reputation and customer trust that can come when a critical vulnerability remains live, too. Skilled Labor It’s worth mentioning that you’re not paying for unskilled eyes, either. Private bug bounty programs get to hand-pick who they’re working with. Even public programs are working with skilled testers who have to demonstrate that they can close, not just identify, loopholes. So you’re always using the right people for the job. Control This also places a great deal of control in the hands of the company running a bug bounty. You set the rules, and the ethical hackers engaging with your product come to you with the solutions. You can choose how long the program runs, what sort of bugs are being tested for, what you pay out for, and a lot more. One single bug bounty program- the Internet Bug Bounty- has managed to uncover over a thousand defects in existing open-source programs, paying out a combined total of $750,000 to the hackers that came forward. On average, each bounty netted $500-$750, although some high-end bounties have capped at $25,000 for particularly lucrative loopholes. They’ve even used a ‘bragging rights’ billboard as extra incentive. Closing the Door on Open Source Loopholes with Bug Bounties Fortunately, Open Source software has the support of a very robust and engaged programming community. They’re already engag ed in making open source solutions faster, more effective, efficient, and secure. Bug bounties, however, offer an additional bonus for achieving results fast.They’re also a great way for an app, API, or other software to ensure it’s offering its customers only the best security in robustly examined and policed software, eliminating one of the biggest concerns with using OSS in the first place. What Are Some Notable Vulnerabilities that Were Fixed as a Result of a Bug Bounty? Part of the allure of an effective bug bounty program is that we never hear exactly what was fixed. Or, if we do, we only hear about it years after the exploit was live. While the results of ethical hackers’ hard work go live almost daily, part of the idea is that we never know quite what the original exploit was. However, one key bug bounty-created solution was the recent vulnerability patch released by Microsoft surrounding the CVE-2022-26904, which was uncovered as part of joint information shared by CrowdStrike and the US National Security Agency. This particular fix tackled a privilege escalation issue that allowed a ‘win a race condition to fall over into exploitation. In fact, a high number of the fixes now being released by Microsoft as part of their ‘Patch Tuesdays’ updates have been found through Microsoft-specific bug bounty programs. Multiply that by the many software and API updates going live daily, and you have a great idea of how important a solid bug bounty program can be to both companies and their end users. What Is Coordinated Vulnerability Disclosure? Coordinated vulnerability disclosure (CVD), formerly known as responsible disclosure, is a system for disclosure of vulnerabilities or flaws to the public after patches or remedies have been issued. This coordination distinguishes the CVD model from the "full disclosure" model. Because software developers often require time and resources to repair their mistakes, ethical hackers find these vulnerabilities. Hackers and cybersecurity experts consider it their social responsibility to make vulnerabilities public knowledge as hiding problems could cause a feeling of false security. To avoid this, thoseinvolved arrange a specific amount of time to repair the vulnerability. The time needed for an emergency fix or workaround depends on the potential impact of the vulnerability, ranging from a few days to several months. The market for bug bounties has developed over recent years, sparking heavy debate over the ethics of monetizing vulnerability reports. Some security experts have the expectation of compensation while others view this as extortion. How Do I Get Started with a Bug Bounty? What Skills Do I Need? Wondering how to get started with bug bounties? Obviously, participating in a bug bounty program needs a wealth of specialist knowledge. Participants need a solid grounding in computer networking, web technologies and protocol, and security mechanisms. This includes a solid grounding in security practices (and their hacking bypasses), common vulnerabilities in applications and the web, and how to find them. You will also need the skill set to patch and prevent these vulnerabilities, so most bug bounty program participants are either coders themselves, or the so-called ‘ethical hackers’ who test their coding boundaries with the aim to help resolve, rather than exploit, them. Remember that these are ever-evolving skill sets, and you will need to stay up-to-date on current industry trends and changes. If you’re starting from scratch, there are bug bounties for beginners resources you can use to start honing your skills. From there, most potential program participants will start in public bug bounty programs to build and polish their skills. Bug bounties lists are pretty easy to find. There’s even a bug bounties Reddit sub to explore! So it’s less a case of where to find bug bounties, and more. Focus on companies with bug bounties for software you feel most confident in. Earning a reputation in public programs is often the key first step to being invited to private programs. Is There Training on How to Get Into Bug Bounties? Yes, there are! If you’re brand new to the idea,but keen to get started, there are some quality resources you can use to help you get going. Books & e-Books Believe it or not, there’s a wealth of traditional book and e-book resources that can break you into the basics of ethical hacking. Kevin Mitnick’s Ghost In The Wires: My Adventures as the World’s Most Wanted Hacker, The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws, and Peter Yarworski’s Web Hacking 101: How to Make Money Hacking Ethically are three great places to get started if you like this learning format. There’s plenty more. Training Courses Many sites also offer training on ethical hacking, especially now that bug bounties have taken off. Of course, you’ll want to do your due diligence and make sure you aren’t forking over cash without vetting the true credentials of the learning portal. Here’s some tuition providers with the experience to back their claims: Bug Bounty Hunting on YouTube 100 Bug Bounty Training Lessons Portswigger’s Web Security Academy SANS Cybersecurity Roadmap from the SANS Institute [Would you like to be listed here? Send us a note at
May 26, 2022
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More