Demystifying Program Management in Crowdsourced Security


  •  
  •  
  •  
  •  

We recently hosted a webinar featuring VP of Information Security at InVision, Johnathan Hunt, and Bugcrowd, CSO David Baker discussing how success in crowdsourced security relies on expert program management. We had a great discussion going over how program management brings ROI to your bug bounty program, requirements for bug bounty program management and how Invision went from a competitive self-managed program to a Bugcrowd managed program. Here are some of the key takeaways from the webinar.

Benefits of Running a Managed Program vs. Self-Managed:

It’s possible to manage an early vulnerability disclosure trial, especially one limited in size, scope and number of participants. But once the submissions start to come in, it’s easy to get overwhelmed. There is a lot that goes into program management, including but not limited to:

  • Defining scope
  • Defining disclosure inputs
  • Identifying program security owners
  • Establishing a vulnerability management program
  • Determining time-to-fix agreements
  • Establishing attractive payout ranges
  • Setting up an efficient triage and validation process
  • Determining logistics for payouts and researcher communications
  • Attracting a solid crowd of researchers to actively participate

Organizations hardly have the time or resources to triage and validate incoming vulnerability findings from outside researchers. With the immense resource shortage in the cybersecurity space, a managed crowdsourced application security testing approach is the most efficient and affordable solution.

Program Management Requirements and ROI:

Once you have a matured bug bounty program ready to go public, you will see upwards of 300 researchers at any given time contribute to your program. Typically, some of the researchers only spend a small amount of time on the program, and decide it is not the type of application they are interested in. From there, we typically see about 200 researchers put in an average of about 18-20 hours of effort, which equates to about 4,000 hours of total testing time. This 4,000 hours of total testing time is the same amount as you would get with two full-time penetration testers on staff but the cost of that is drastically different.

Looking at the cost per hour for other options, at about $100/hour you can provide in-house testing, at $60/hour you can outsource testing to India, and at a boutique firm you can recieve testing for $220/hour. When looking at a crowdsourced security program, it comes out to be about $25/hour if you think about the cost of managing the program and then the cost of the actual bounty pool paid out. Crowdsourcing actually saves you time and money for a more complete security assessment.  

InVision’s Managed Bug Bounty Program

InVision started out with a competitive unmanaged bug bounty program. The company used a bug bounty vendor as sort of a hosting provider only. It was a shell, but program management was the responsibility of the internal team. The team had to manage submissions, search for duplicates, identify what was in scope or not, validate the results, communicate with the researcher throughout the process and so on. They realized how much work it was to manage a bug bounty program.

Due to the amount of time and effort that came with the unmanaged program, InVision decided to move to a managed program with Bugcrowd. Bugcrowd handles everything for InVision – validation, communication, and even a Jira integration into the SDLC. Bugcrowd’s Jira integration is set up so InVision can import in Jira and it opens a ticket, auto fills all the necessary fields, and then InVision’s application security team handles it from there.

Bugcrowd has reduced InVision’s required time and effort by 80%. Since working Bugcrowd, InVision’s application security team simply fixes what they do best. They spend their time, attention and expertise on fixing vulnerabilities versus paying them to sift through the noise, communicate with researchers, handle rewards, and everything else that goes along with an unmanaged program.

For more information, check out our on-demand webinar for more details on on the value of bug bounty program management.