At the beginning of this year we released our ‘Defensive Vulnerability Pricing Model’ that answers the question “what’s a bug worth?”. This guide outlines how much organizations should budget for crowdsourced security programs, and what reward ranges attract the right talent. In short, this guide, informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, set the first market rates for security vulns by criticality, and now organizations are beginning to adopt this guidance.
Why does it matter?
It is one of our top priorities to facilitate and encourage more payouts to our incredibly talented and creative crowd. This will, in turn, increase activity and engagement, providing even more value for organizations committed to building more secure products.
By both advocating for competitive bug payouts and encouraging more companies to reward appropriately, we are getting closer to that goal. As more and more companies align their business and security goals with their crowdsourced security programs, we’re beginning to see a general increase in motivation and activity amongst the crowd. A great public example of the manifestation of that success is Jet.com who, in working with us for the last year and experiencing the value of the crowd, and furthering their commitment to the security research community, has decided to align their rewards with our suggestions made in the DVPM.
“‘Our biggest asset at Jet is our members’ trust, so we take protection of their data very seriously. Everyone at the company, from the security engineers, to the marketing people, to the Jet Heads in the call center is aware that keeping that trust is a paramount concern.’ – Mike Hanrahan, CTO of Jet.com.
Starting in February 2015 when we launched our first private bug bounty program with Bugcrowd, we’ve seen the value in leveraging the skills and techniques of ethical hackers. We started off with a small private crowd, and worked our way to a public program in June 2015. In that time, we have rewarded 97 security vulnerabilities through the Bugcrowd platform, including some pretty obscure bugs that many pen testers and automated scanners would have overlooked…
…We’ve gotten a lot of value from the types of findings users have submitted, which is why we’re both expanding the scope that researchers can test against, and increasing our reward range. Our scope will now include our mobile applications, and we are increasing our maximum reward from 2,500 to 15,000 so as to attract more of the world’s top security talent, and express our commitment to the security research community.”
We are committed to advocating for both organizations running crowdsourced security programs, as well as the security research community. To maintain a healthy relationship and support mutual beneficial behavior, we continue to encourage the industry to take a look at our suggestions and give us feedback!
We know this guidance is a baseline, living document that is dependent on available resources, business initiatives and goals, as well as the health of the security research industry as a whole. In keeping with our commitment to advocate fair, competitive vulnerability payouts, we will continue to assess the state of this guide on a quarterly basis.