This blog recaps a conversation Bugcrowd had with their customer, Schibsted. The webinar discussion includes:
Last month, Bugcrowd had the opportunity to speak with our customer Gabriel Berrios, Application Security Engineer at Schibsted. Schibsted is a Nordic media house that has been in operation since 1839. There are several print and digital brands under the Schibsted umbrella.
You can watch the full webinar on demand, but we wanted to share a few highlights below.
Gabriel is based in Oslo, Norway and primarily works with application security, red teaming, and cybersecurity operations at Schibsted.
What made you consider a bug bounty program and crowdsourced security?
Although our tools can inform us about vulnerabilities at a low level, security researchers and hackers manage to go deeper and understand how to actually exploit these vulnerabilities. Their findings are highly valuable and help us improve our security posture.
Tell us about your bug bounty program and what inspired you to launch this program.
We’re a very large organization that has many services and teams working with different technologies. We decided to add a bug bounty program on top of our extant security tools to achieve a better security posture. We structured our program to have three engagements, each with its own list of domains considered in and out of scope. We assign higher bounty payments to vulnerabilities with higher severity, so critical vulnerabilities pay higher than ones with little security impact. Our program outlines what we expect from researchers from a reporting perspective and techniques that are out of scope.
How do you build relationships with security researchers?
It’s important to us to take care of our researchers. We pay out bonuses for good findings and are quite flexible to accommodate our researchers. We recognize their efforts because we understand that their work is time-consuming and requires a lot of knowledge and techniques that take years to develop. Above all else, we prioritize good communication and demonstrating gratitude. For example, some things will sometimes be out of scope, but we’ll explain why and offer a token of appreciation for the effort. We want our researchers to know that their work means a lot to us, and we want to motivate them to work in our program for a long time to come.
Can you share an example of how your bug bounty findings have impacted your business?
One specific hacker sent us really good findings pertaining to misconfigurations and services we no longer use. We also received very valuable DNS findings that triggered a major initiative to clean up domains and records that hadn’t been touched in a while.
How do you determine which hackers to send a private program invite to?
We are very selective with our invitations. I personally invite researchers through private Discord channels and private Norway communities. We look for people with experience in testing to reduce noise.
What has been your experience with the Bugcrowd triage team?
We value impactful findings with less noise, especially given the state of AI-generated reports. The Bugcrowd triage team has an enormous job, and they are spectacular at reviewing and filtering findings. They understand and communicate exactly what the severity of each finding is.
Why did you choose Bugcrowd over other solutions for your bug bounty program?
We wanted to access a larger pool of researchers we had never worked with before, which has really paid off. With Bugcrowd, we have received new types of submissions that we had never seen before.