By Neil Cook, Chief Security Architect Open-Xchange
http://blog.open-xchange.com/wp-content/uploads/2016/02/Neil-Cook.pngI have some really exciting news this week, which I’ve been wanting to share for a while. The Open-Xchange group of companies, including PowerDNS and Dovecot, now have public bug bounty programs hosted on hackerone. These programs have actually been operational with increasing numbers of invited expert researchers for the past 6 months, as we built up confidence with the program, adjusted our policies and program scope, and interacted with the hugely knowledgable HackerOne community. Now we’ve reached the stage where we’ve thrown open the doors, and our bug bounty programs are open to everyone.
Bug bounty programs have been an important security tool for a number of years, and while some large companies such as Google and Facebook host their own programs, Open-Xchange has joined companies such as Twitter and Yahoo! in using hackerone. Somewhat appropriately I’m writing this post from the Blackhat USA 2016 conference, having just attended a talk where bug bounty programs were presented as one of the top-10 highest-impact security innovations of the last 20 years.
Indeed, just last week Apple announced their own bug bounty program, no doubt inspired by the example of Open-Xchange!
The hackerone service hosts a very large community of security researchers (ranked by their contribution and skills) and provides the tools to let them report security vulnerabilities and allows bounties (either monetary or “swag”) to easily be awarded by the affected companies. Using hackerone has enabled Open-Xchange to rollout the program with speed and effectiveness, and now it has become a important part of our development and release lifecycle, as well as our responsible disclosure program.
I’m happy to say, that in just 6 months, the bug bounty program has already contributed to the increased security of the software developed by Open-Xchange, and I look forward to seeing how it will evolve over the coming months and years, so watch this space!
You can find the details of our bug bounty programs at: