2017 was a year for the books. The Equifax breach, the third Yahoo! breach, the Uber breach — today nearly every American has been impacted by the loss of personally identifiable information (PII) data. And the threat continues to rise.
Companies, healthcare systems, governmental and educational entities have started to realize how real the threat is but resources are scarce and dwindling. The number of vulnerabilities out in the wild is outpacing the ability to find and fix them. To help bring these critical security gaps to the surface, organizations are increasingly turning to a group that they have traditionally distrusted: hackers.
At Bugcrowd, we work directly with a global crowd of more than 65,000 talented hackers, with diverse backgrounds, technical skills, and expertise. These hackers approach breaking into code like an adversary, but with the intent to help combat cyber attacks using their technical skills and dexterity.
To be successful in partnering with this group, we’ve built a strong, globally-distributed team of Application Security Engineers (ASEs) with broad industry knowledge honed through past experiences as both big and boutique consulting firms alike; some of which are former white hat hackers, several from our platform, and understand the researcher community first-hand. We believe a strong security background coupled with real world SDLC and enterprise security experience make for a well-rounded team of experts.
Our SecOps team facilitates researcher communication, crucial for detailed reports, deeper context, and high engagement. But how do we get them coming back to the Bugcrowd platform over and over again?
In our recent report, Inside the Mind of a Hacker 2.0, we asked our researchers who consistently contribute to our security programs, “what keeps them coming back?” They responded, 1) clear and accurate scope, 2) response time and clear communication, 3) correct bounty amounts.
Let’s take a closer look at those motivators, and how Bugcrowd influences each of them:
A Clear and Accurate Scope
Providing clarity about exactly what is and is not in scope creates a better experience for both the bug hunters and customer. Hackers know exactly what to look for, and customers keep focus on the areas that matter most. How do we do it? Every Bugcrowd customer goes through a comprehensive onboarding process, forming a close partnership between teams to align on program goals, target areas, and expectations.
Response Time and Clear Communication
After hackers have devoted their time and effort into submitting a vulnerability, the last thing they want is a long delay in response. Providing timely feedback and clear communication speeds up the bounty payout for hackers and shortens the time to remediation for customers. On average, all submissions receive an initial response in 1.2 days. How do we do it? Bugrowd’s Researcher Operations and Security Operations teams provide industry-leading support for both hackers and customers. Our in-house teams provide accurate and quick assessments throughout the entire vulnerability submission cycle.
Correct Bounty Rewards
Hackers want to know approximately how much a bug is worth before they start investigating it. Reducing variation on payout amounts allows researchers to appropriately allocate their time, and helps customers budget correctly for their programs. How do we do it? Bugcrowd’s Defensive Vulnerability Pricing Model provides an overview of what goes into setting the appropriate budget and reward range for your bounty program and our Vulnerability Rating Taxonomy offers a systematized structure for recommended payouts, based on criticality. Every vulnerability submission is automatically tagged with a recommended “priority” and a corresponding payout amount. All payouts are managed through Bugcrowd for easy execution.
The growth of the security researcher community mirrors the increase in bug bounties over the past few years, with more complex attack surfaces that require researchers with more skill sets and a wealth of experience. As the bug bounty market has become more efficient in its ability to connect talent with the need for security testing, the community needs to continue to self-educate to increase the breadth and depth of their skills.