4 Years of Bugcrowd’s Bug Bounty: Evolution and Learnings

To improve our own security, as well as make a better product for our customers, we’ve prioritized and evolved our bug bounty program over the past four years. From private to public, continuous and time-boxed, we’ve implemented many types of bug bounty programs on our own applications and web properties over the past four years and have seen amazing contributions from our bug hunting community…

We kicked off our first bug bounty as a time-boxed, open program with cash reward pool on a web app designed specifically for bounty testing. The second program launch was also a time-boxed, Kudos-only program.

In September 2013 we rolled out our own bug bounty on bugcrowd.com, an ongoing public program with cash rewards. This continuous testing offers us a breadth of testing that wouldn’t be possible with other application security testing. We’ve upped rewards since on our public program wherein our minimum reward prize has been $500 with a max of $5,000.

We’ve run multiple private On-Demand Programs on Crowdcontrol, our vulnerability management platform, since the beginning of 2015. We run what are essentially 2-week crowdsourced penetration tests with focused testing for major releases and invite-only pools of researchers.

Thanks to everyone who has contributed to our bounty programs! The volume and quality of testing that we’ve seen not only helps us keep our customer data safe but also helps us build a more powerful and intuitive product. We hope that the community continues to support our endeavor to uphold the highest standard of product security, and look forward to the future iterations of our program, and the bug bounty ecosystem in general.

Want to learn more about Bugcrowd’s bounty program? Read more here and check out all of our public programs.