News Document Title:
====================
Best Bug Bounty Program Award Winners and Trophy - 2014 Q4


Release Date:
=============
2015-02-12


Laboratory Article:
===================
In september 2014 last year we started a large campaign to reward the `Best Bug Bounty Program` and `Best Upcoming Bug Bounty Program` in 2014.

Next to the new special event we also coordinated to reward the best bug bounty submission of the year 2014 in the Vulnerability Laboratory with a special trophy.

100 active Vulnerability Laboratory members started to vote the `Best Bug Bounty Program 2014` followed by 101 independent vulnerability researchers and bug bounty hunters. 
The best bug bounty program of the year 2014 must have the following characteristics to win the independent security competition.

- Trustworthiness and reliability in handling with reported security gaps
- Expression and expansion of the public security program service
- Announcement of program updates or policy upgrades
- Cooperative exchange (Researchers and Teams)
- Fast Response to the Research Community
- Good Coordination (Researchers and Teams)
- Reliability of the bug bounty payouts
- Transparency of the program

100 active Vulnerability Laboratory members started to vote the `Best Upcoming Bug Bounty Program 2014` followed by 101 independent vulnerability researchers and bug bounty hunters. 
The best upcoming bug bounty program of the year 2014 must have the following characteristics to win the independent security competition.

- Startup in the bug bounty market business
- Trustworthiness and reliability in handling with reported security gaps
- Expression and expansion of the public security program service
- Announcement of program updates or policy upgrades
- Cooperative exchange (Researchers and Teams)
- Fast Response to the Research Community
- Good Coordination (Researchers and Teams)
- Reliability of the bug bounty payouts
- Transparency of the program

100 active Vulnerability Laboratory members started to vote the `Best Bug Bounty Issue 2014` followed by 101 independent vulnerability researchers and bug bounty hunters. 
The best bug bounty submission of the year 2014 must have the following characteristics to win the independent security competition.

- Quality of written Vulnerability Report (Advisory or Bulletin)
- Reliability of the technical details
- Availability and applicability of the Proof of Concept
- Coordinated disclosure in connection with the Manufacturer/Program
- Severity and risk of the reported Bug Bounty Issue
- Typ of Vulnerability
- Reward Count (Minimum Bounty +1000$)
- Public feedback and response by independent researchers
- Views of Plain issue and public resonance

Now, we would like to announce the winners of the 3 competitions ...

Winner of the `Best Bug Bounty Program 2014` is ... PayPal Inc
https://www.paypal.com/webapps/mpp/security/reporting-security-issues
https://www.paypal.com/webapps/mpp/ebayincbugbounty-tc

Winner of the `Best Upcoming Bug Bounty Program 2014` is ... Microsoft Online - Bug Bounty Program
https://technet.microsoft.com/en-US/security/dn800983

Winner of the `Best Bug Bounty Issue in 2014` is ... Ateeq ur Rehman Khan with the Mozilla WireTap Vulnerability (MFSA 2014-14)
https://www.flickr.com/photos/vulnerabilitylab/14886584215/in/set-721576...
http://www.vulnerability-lab.com/get_content.php?id=953
http://www.vulnerability-lab.com/get_content.php?id=967

The winners of the competition will get a letter of respect to acknowledge the win. To reward the manufacturer of the winner programs we are handing over the cup award next 
to the famous CeBIT event. The CeBIT in Hannover (germany) starts 16th march and ends 20th march 2015. We are able to send the award to the manufacturer but we want to make 
this event happens by our personal interaction. Both companies are available at the famous it-event in hannover and so we decided to visit them.

The two graphs below show the statistics to the best bug bounty program and best upcoming bug bounty program voting.

To upgrade the bounty program rewards we also ordered a LED base to highlight the crystal glass globe award. Beginning with the first award campaign and nomination we announce 
to keep this event running every year. We would like to thank all the individual researchers and bug bounty hunters that participated successful in the new campaign. THANKS!

@ Vulnerability Laboratory - Administration

Reference(s):
http://www.vulnerability-lab.com/list-of-bugbounty-program-year.php
http://www.vulnerability-lab.com/list-of-best-upcomings-bugbounty-progra...
http://www.vulnerability-lab.com/list-of-best-bugbounty-issues-year.php



Feel free to read the full vulnerability magazine article with pictures ... 
http://magazine.vulnerability-db.com/?q=articles/2015/02/01/announcement-winners-best-bug-bounty-program-best-upcoming-program-best-issue