Prioritizing Risk Using Researcher Submissions


  •  
  •  
  •  
  •  

Historically, vulnerability management programs have focused exclusively on vulnerabilities from automated tools; however, the success of any vulnerability management program relies on its ability to automatically consolidate vulnerability data and prioritize the remediation of each risk.

Vulnerabilities discovered by a community of researchers significantly expand the visibility of an organization’s security risks and should always be included when triaging vulnerabilities.

Automation Forces Speed and Efficiency

Adversaries use attack automation tools and scripts with attack frameworks to identify and exploit security weaknesses. For defenders, speed has gone from an advantage to a necessity in all aspects of vulnerability management; that includes both understanding and prioritizing risks. Introducing automation to this process, by levering tools such as an API, offers a seamless solution for consolidating vulnerability data and ensures defenders are effectively reducing risk with speed and efficiency.

Human Creativity Discovers Complex Vulnerabilities

Understanding issues discovered by automated tools offers only a fraction of insight into your overall risk. Additionally, security approaches like creating multiple vulnerability management program processes, simply do not scale. Crowdsourced security researchers creatively uncover complex vulnerabilities that automated tools simply cannot identify because they are bound by signatures.

These inefficiencies leave potential high-severity risks open for longer and available to hackers for exploit. Having a single pane of glass to assess overall risk allows proper prioritization of vulnerabilities and ensure high business impact issues are fixed first.

Integrating Bugcrowd Is Microwave TV Dinner Easy

Bugcrowd’s API makes it simple to autonomously integrate the power of the crowd into your vulnerability management program. Its use case-based architecture enables you to quickly leverage the right endpoint without reading through pages of documentation.

The unofficial API clients that already exist are written in various programming languages and are all open source.

API CLIENT LANGUAGE USE
NuGet Gallery | Bugcrowd.API 1.0.5 C# .NET MIT License
asecurityteam/bug_crowd_client Python MIT License
mattreduce/bugcrowd Ruby MIT License

Get Those Subs!
With Ryan Black’s C# client, easily installed via NuGet,  you can download a submission from scratch in just three lines of code!!

using BugcrowdAPI;
var client = new BugcrowdClient(“apitokenvalue”);
var submissions = client.GetSubmissions(“1234567”);

Set It And Forget It

Bugcrowd’s API is highly scalable, enterprise-ready and cronjob friendly, enabling you to automate submission downloads as frequently as you’d like. As a result, your VM program will always prioritize the right risk.

What Will You Automate And What’s Next

Bugcrowd’s robust API allows you to automate more VM program processes, such as acceptance workflow. Leave a comment below and share what other use cases you hope to automate!

We’re also taking automation possibilities to the next level with webhooks. Interested in webhooks? Reach out to support@bugcrowd.com to get on the Beta!

Learn the ins and outs of Crowdsourced Security, Managed Bug Bounty and Vulnerability Disclosure ProgramsDownload the Guide
+