At Bugcrowd, we believe that whatever your organization’s size or industry, cybersecurity is a goal that requires a blend of data, technology, and human intelligence to achieve. The Bugcrowd Security Knowledge PlatformTM addresses these pain points in a unique way by offering a multi-solution, layered approach to crowdsourced security at scale, bringing maximum value and minimum risk via penetration testing as service, managed bug bounty, and more.

This platform-powered approach helps security teams overcome significant challenges caused by the fragmented security environments, including:

  • Poor visibility into security posture
  • Multiple single points of dependency
  • Siloed security data and insights
  • Overhead in managing multiple providers

These challenges are even more painful, of course, when budgets and resources are constrained. Customers are almost crying out for strategies that will help them maintain or increase their investments in security, without increasing overhead and complexity.

Our customers are also getting bigger and more complex, so we need to support their growing security organizations. We think the best way to do this is to empower them with the flexibility to structure their security solutions on the Bugcrowd Platform to reflect their internal organization or products, and to manage them in an efficient yet fine-grained way–for example, to enable them to standardize scope across a series of different programs (pen tests, bug bounty programs, etc.), or to run reports across them. That would make managing and getting value from multiple Bugcrowd solutions much easier, and empower security leaders to focus more on the big picture.

Introducing multi-tier management

For these reasons, we’re excited to announce the addition of multi-tier program management to the Bugcrowd Platform.

Bringing multi-tier management to the platform gives customers a lot more flexibility for solving multiple security goals across assets in pen tests, bug bounties, VDPs, and even ASM programs, in any combination. In most customer organizations, the asset is king/queen: It defines which employees get access to which resources, and has an associated security strategy attached to it. This change lays the foundation for managing asset security throughout its lifecycle, across all the Bugcrowd products that might be applied to it.

Under this new model, the “program” becomes a container abstraction for multiple engagements that inherit attributes from the program. In other words, a customer can now share submissions, roles, assets, and integrations across pen tests, bug bounty programs, and VDPs inside the same program–as well as get valuable insights about trends and opportunities from data analytics and reports generated across that program. 

Under the multi-tier model, you can also expect a more holistic understanding of all your assets by researchers. You will naturally create a clear comprehension of your needs regarding submissions, roles, assets, and integrations; providing researchers additional critical tools beneficial to your security investment.

In the diagrams below, we can see an organization that has gone from individually managing five programs under the former, “flat” model (Figure 1), to managing only two programs under the new, multi-tier model (Figure 2). For each new engagement created, it inherits the attributes already set at the program level. Researcher submissions will also be shared across the program, significantly reducing the pain of having to move submissions across different engagements to meet certain requirements.


Figure 1. Before: Flat management model


Figure 2:
After: Multi-tier management model


By introducing this model, we will significantly reduce the administration overhead in setting up and managing new solutions on the Bugcrowd Platform. We also unlock new reporting and insights across customer solutions, an ability to duplicate an engagement with a single click, and an intuitive, three-tier navigation UI:

Bugcrowd Penetration Testing as a Service is the first solution type to support this new approach to organizing security programs at scale, with Managed Bug Bounty and VDP to follow on the roadmap. Going forward, as one benefit of this new approach, it will be possible to “clone” completed penetration tests across programs (including scope, targets, integrations, etc.), allowing customers to much more easily repeat their pen tests at scale–which we anticipate will be very useful for organizations that, for example, need to do large batches of compliance-driven pen tests across the year.

Investing in the platform 

If multi-tier management sounds like something that is critical for a multi-solution platform, you’re spot on. This is a significant improvement in the way security engagements are managed on the Bugcrowd Platform, one which has been made possible with significant investment from our customers. If you have any thoughts or questions about this platform enhancement, we welcome your feedback!