Following the news that Microsoft has decided to open up their bug bounty programme to find flaws in OneDrive, Terry Ip, Security Consultant at MWR InfoSecurity shared the following expert comment with @DFMag:
“Adding a product to a bug bounty program does not necessarily indicate poor security and it also shouldn’t be used to indicate lack of prior testing. Some companies add products to bug bounty programs to ensure wider coverage of testing by what is essentially a crowdsourcing effort from the security research community, either in place of or in addition to testing by their security vendor. Whilst the bounty can seem large in some cases, the payout is often lower than the costs involved in employing full-time security researchers.
“One of the key things for security researchers to be aware of is adhering to the scope of the bounty program. Going out of scope could result in legal issues or pay out disputes, despite the good intentions of the researcher. Always read the small print before you proceed with testing!”
(41)
