At Bugcrowd, we’ve long said that managed bug bounty programs allow organizations of any size or stage of security maturity to realize the benefits of a bug bounty program. This is why we’ve provided managed programs from day one and why I’m especially excited by today’s news. Today we are recruiting for a Secret customer program with a top reward of $250K.
High rewards like this one are a fairly new phenomenon for the industry, traditionally reserved for tech giants. But we are beginning to see a shift. Just a few months ago 1Password upped their top reward to $100K. Today’s announcement is yet another indicator that organizations are seeing the value in identifying vulnerabilities early — before adversaries can take advantage of them.
However, high rewards aren’t a silver bullet — running a successful bug bounty program requires care, feeding, and constant adjustment. Without an experienced team to guide the process of adjusting payout ranges, building program scopes and engaging researchers, self-run programs run the risk of stalling out, losing researcher participation and confidence.
What is a secret program
Private programs are open to a select, vetted group of researchers while public ones are open to the full breadth of the 60k+ crowd. This top secret program is a hybrid approach. It allows the organization to recruit more top talent — security experts that specialize in the company’s unique attack surface — in a more controlled way. This means that while not just anyone can “hack on” the program, anyone can apply to.
Who should apply for this program
Those with experience with virtualization (VM breakout, cross instance manipulation, exploitation of host components), Kernel and device driver, firmware, and advanced application security are invited to apply. Note that all participants will be required to undergo a background check and sign an NDA prior to participating.
Qualified and participating researchers will be invited to submit a report of their efforts, what was attempted, ideas for potential compromise, and any other relevant information (regardless of whether or not they achieved the stated objectives). The top five reports at the end of the program that show demonstrated effort and expertise will be rewarded $10,000, as a level of compensation for work done.
This is an exciting day for Bugcrowd, launching the largest advertised bounty on a third-party platform; for the industry which continues to grow at a rapid pace; and for the community brimming with talent and thriving as they identify more, bigger bugs for a growing and diversifying set of organizations.