This post originally appeared on ARK’s blog.
ARK is pleased to announce the acquisition of security and penetration testing services from Bugcrowd — the planet’s premier crowd sourced security platform! Highly skilled and trusted white hat hackers from all over the world will try to breach the ARK hull and attempt to expose vulnerabilities before they pose a risk to the ARK Ecosystem.
Working with Bugcrowd, ARK can tap into a global community of over 100,000 expert researchers who use varying techniques to identify 7 times as many critical issues, 80% faster than traditional solutions can.
The list of Bugcrowd customers includes world class companies like Netflix, Tesla, Dash, Binance, Netgear, Pinterest, Atlassian, Invision, Motorola, Hewlitt-Packard, Barracuda Networks, Western Union, Fiat/Chrysler, Digital Ocean…. and the list goes on and on.
ARK is taking advantage of a full array of services offered by Bugcrowd, including both private and public programs. The private program should begin this week, while the public program will begin in early January 2019. Final features and further details will be announced later on when the public programs begin. First item on deck for testing will be the release of our new ARK v2 Core!
How it Works
A Bugcrowd Security Researcher discovers and submits a finding to Bugcrowd. This submission is reviewed for uniqueness, tested, reproduced and once validated, is quickly escalated to the ARK Team. In turn, we review and patch the finding. Findings that may be critical are pushed to our team in under 24 hours. ARK can directly converse with the researchers, and we have access to all conversations between the security researchers and Bugcrowd. As a result, critical bugs get fixed and patched much sooner than less critical ones.
Vulnerability Rating Taxonomy
ARK will be using Bugcrowd’s VRT, a resource that outlines Bugcrowd’s baseline priority rating. Included are certain edge cases for vulnerabilities that are frequently seen. To arrive at this rating, Bugcrowd’s security engineers start with generally accepted industry impact and further consider the average acceptance rate, average priority, and commonly requested program-specific exclusions (based on business use cases) across all of Bugcrowd’s programs.
Bugcrowd’s VRT is an invaluable resource for bug hunters as it outlines the types of issues that are normally seen and accepted by bug bounty programs. We hope that being transparent about the typical priority level for various bug types will help program participants save valuable time and effort in their quest to make bounty targets more secure. The VRT can also help researchers identify which types of high-value bugs they have overlooked, and when to provide exploitation information (POC info) in a report where it might impact priority.
Why Crowd Sourced Security?
There is a disconnect between the motivations of network attackers, and those of developers and security defenders. Crowd sourced security eliminates this imbalance by harnessing white hat security researchers to find and eliminate vulnerabilities, providing rapid and focused results. The most critical attack surfaces are examined including web and API interfaces on server/cloud, mobile and IoT platforms. The security researchers are trusted and highly vetted, diffusing the concerns of risk associated with crowd sourced security.
An External View
While the ARK team and the community know the blueprint of their ship quite well, it is often the eyes of outside examiners who can provide a fresh look from a different angle. Bugs and security vulnerabilities can be found that may never have been apparent to the ARK team. The massive increase in efficiency of crowd sourced pen-testing will allow ARK to reach maximum security in far less time than if we rely on an internal team. Ultimately, it is our highest priority to provide the most secure platform possible to the users of ARK.
If you are a young researcher willing to learn more in the ways of cybersecurity, Bugcrowd offers a University program where you can learn the skills of the cyber jedi.