Starting with a private, invite-only bug bounty program, Western Union and Bugcrowd were able to work together to slowly scale the company’s bug bounty program over time. They eventually announced the launch of their public bug bounty program on March 11, 2015, becoming one of the first organizations in the financial sector to do so.
“Bugcrowd is a young company, and they continue to add more functionality quickly – they’re a truly disruptive platform,” said David Levin, Director, Information Security at Western Union. “Their testers dig deep in their testing. Not only will they take a URL and test it for many days, but they have also found what other systems have not identified. No system can be proven to have zero vulnerabilities, so continuous testing at this level of depth is great.”
With a managed, public bug bounty program through Bugcrowd, Western Union’s security and development teams have been able to focus on the findings themselves, as well as other projects, while Bugcrowd leverages their skilled researchers to crowdsource information and identify valid vulnerabilities.
We recently put together a report on the unique uses for bug bounties in the financial services sector. Download the report to learn more about what other financials companies are leveraging the crowd to bolster their application security testing efforts, what kinds of results they are finding, and the future of bug bounties for financial services organizations.