Elena Baranova, Development Director at Auriga LLC

tanjimajuha20 · Post by **tanjimajuha20** » Mon Jan 27, 2025 7:03 am

Ilya Sharonov, Director of the Production Center of the Digital Solutions Department at R-Style Softlab, believes that bug bounty is an excellent tool for searching for vulnerabilities in complex software systems: "A company's willingness to spend efforts to ensure user security can and should be supported by the state. However, in the case of bug bounty, it is more relevant not to compile a rating, but to provide preferences to those solutions that, in principle, participate in the bug and vulnerability search program. After all, in essence, this is a process that the developer must support continuously, and the binary approach hong kong cell phone number list "participates / does not participate" can be implemented quite quickly. It is also worth considering that in modern realities, software products are developing very quickly and new functions can carry new vulnerabilities. And if the product is often updated, then the question arises - what time period is sufficient for successful completion of the vulnerability search program for a specific software edition. Another important point is the interest of security experts in participating in the bug bounty program. And if the product is already popular, then there will be a large number of enthusiasts to test it. But if the software is just getting ready to enter the market or is a niche solution, then finding testers will be much more difficult. Interest in the product can be stimulated by a high reward for a vulnerability found. However, this can also distort the rating results: all companies have different opportunities for funding bug bounty programs.

, believes that the proposal to rate software from the registry is not well thought out: "First of all, most of the solutions presented in the registry are closed to external access by developers, not to mention users. This happens for various reasons - the class of software (embedded, system, etc.), security requirements, or intellectual property rights. Secondly, the issue of funding bug bounty services arises. This is not a cheap pleasure and only large market players can afford it. And of course, the issue of the qualifications of potential bug hunters will arise. Testing a product or service is a complex activity that requires qualifications, sometimes special equipment or software tools, which is carried out in accordance with standardized processes. Who can guarantee that amateur testers will not do more harm than good? Thus, the initiative seems to me to be rather crude and applicable only to solutions for mass users from large developer companies, most of which already have their own bug bounty programs. From my point of view, it would be more logical to require penetration testing for services that are sensitive to personal data of any type."