Frequently Asked Questions
What is a Bug Bounty program?
A bug bounty is a monetary reward a company provides to someone who reports a “bug” or software vulnerability. Rewards can range from hundreds to thousands of dollars depending on the impact and severity of the vulnerability. Bugcrowd pays researchers 100% of the bounties earned to ensure proper incentives within the ecosystem.
What is a Next Gen Pen Test?
A Next Gen Pen Test combines the collective creativity of the Crowd of pen testers and skilled, trusted hackers with methodology-driven reporting you need to meet compliance requirements.
What is a Vulnerability Disclosure Program?
Vulnerability disclosure programs give security researchers a way to report bugs and provide organizations a way to find and reward these submissions. Most often these rewards are kudos or points.
What’s the difference between public and private programs?
Private programs offer organizations the opportunity to utilize the power of crowdsourced security vulnerability testing –volume of testers, diversity of skill and perspective and a competitive environment–for more focused testing in an invite only program. While public programs are open to all researchers, private programs are limited to vetted and trusted researchers, giving organizations the power to better control the scope of what is tested, as well as how it’s tested.
How do bug bounties fit with traditional security assessment methods?
We believe that a layered approach to security is best. For many organizations, running a variety of vulnerability scanners and penetration tests are a general security best practice. It’s also no secret that, no matter how advanced, automation only goes so far–it finds only what it knows. Penetration tests have a place in many security programs but are limited in perspective and in time and effort. Bug bounties compliment any mature security program, filling the gap left by scanners, and exponentially improving the probability of finding results.
What types of things can your Crowd test?
We can test anything programmed with code. Bugcrowd researchers love testing mobile apps, web apps, hardware, iOT, and everything in between!
How do you screen security researchers?
As researchers submit vulnerabilities into public programs, Bugcrowd reviews these researchers more deeply. Our points system also allows us to assess their skill sets and levels of trust. Only researchers that have proven their abilities via public programs get invited into private programs. Researchers from around the world may participate, except for researchers from countries the U.S. has issued export sanctions or other trade restrictions against (ex. North Korea, Iran).
Why would an organization invite hackers to break into their software?
Bug bounty and vulnerability disclosure program have been proven to deliver excellent results in finding and fixing vulnerabilities. Bugcrowd’s programs find a P1 vulnerability on average every 13 hours. White hat hackers, or security researchers, are always looking for vulnerabilities, whether invited or not. By providing them with 1) a way to report these vulnerabilities 2) a reward for doing so, organizations can benefit from continuous testing, while paying only for results. Granting permission for security researcher to test software and systems is a great way to receive more vulnerability findings, giving your organization more knowledge and control, and ultimately reducing risk.
Are these hackers trustworthy?
As researchers submit vulnerabilities into public programs Bugcrowd assess their skills and ranks their trust level, amongst other performance attributes. In order to be invited to private programs, researchers must prove their abilities and trustworthiness via public programs. Our curated crowd consists of researchers around the world may participate, with the exception of those from countries the U.S. has issued export sanctions or other trade restrictions against (ex. North Korea, Iran).
In our crowd, we have some of the most talented security researchers in the world. Moreover, many of these researchers bug hunt on the side, maintaining full-time jobs as penetration testers, security engineers, developers. The bug bounty model leverages volume of skilled researchers to yield more, better results. For customers that require a more specific skill-sets, we run private programs with a curated, skills-vetted crowd. If a client has specific country specific requirements for researchers this can be assessed.
What happens if a researcher “goes rogue” and discloses a vulnerability publicly?
In reality, incidents of public disclosure are extremely rare, and we actively work to prevent them. Our Standard Disclosure Terms outlines acceptable and unacceptable behavior. We closely monitor public researcher communications and activity, and researchers are penalized for not complying with this code. In the event of a public disclosure incident–although rare and usually unintended–our team reaches out to the crowd member to ask them to remove the public information and notify them of the consequences of unauthorized disclosure. We reserve the right to issue a warning to a researcher and/or revoke access to the Bugcrowd platform on a temporary or permanent basis depending on the severity of the violation. In the hundreds of programs we’ve run over the last four years, we’ve very rarely had to do this.
What happens when my bounty pool is running low?
Our experienced management team will work with you to evaluate and adjust bounty pool as needed.
What is a bug bounty program?
A Bug Bounty Programis a crowdsourced initiative that rewards individuals for independently discovering and reporting software bugs in an organization’s Internet-connected assets and applications. Bug bounties are often initiated by security teams to supplement internal code audits and third-party penetration tests. The diverse nature and the sheer numbers of a crowdsourced security approach allows a more in-depth testing and adds additional layers of security to an organization’s overall vulnerability management strategy.
What is Bugcrowd’s role?
Bugcrowd provides organizations with both a SaaS platform (“Crowdcontrol”) and the crowd resources necessary to run a successful bug bounty program. Crowdcontrol includes access to the researcher community, a management interface, and managed services to assist in interactions with the researchers.
What are Bugcrowd’s managed services?
Bugcrowd services provide customers the ability to: onboard, launch, and scale Bug Bounty Programs, connect and maintain healthy relationships with external security researchers, validate and manage incoming vulnerability reports, and pay researchers. Bugcrowd provides the following resources: a Customer Success team for expediting program on-boarding and launching coordination, a Researcher Success team to support researcher management and deployment, a Security Operations team responsible for validating incoming vulnerabilities, and an Account Management team to provide in-program performance management.
What is the difference between a public and private program?
A Private Bug Bounty Program is invitation-only and is not publicized on the public-facing portions of Bugcrowd’s website. Only researchers who have been vetted by Bugcrowd, as described below, are invited to participate in private programs – offering more control and specificity. Private programs provide limited scope allowing customers to grow their Programs slowly and quietly, while still realizing the benefits of a crowdsourced approach. Public programs allow customers to gain more insight by utilizing a larger pool of researchers to create scale and speed.
A Public Bug Bounty Program is publicly promoted on Bugcrowd’s website for participation by security researchers from the general public. A public program allows companies to proactively market an aspect of their security operations, build a tighter relationship with the security research community, and elicit submissions from the largest crowd possible.
How are researchers compensated for their services?
Bugcrowd manages payments to researchers who are the first to successfully identify unique vulnerabilities that are in scope of the Bug Bounty Program, following review and approval by the customer. At the outset of a Bug Bounty Program, the customer will establish and fund a “Rewards Pool” from which Bugcrowd will pay out rewards to successful researchers. Other non-monetary forms of payment may apply, including recognition by the researcher community on Crowdcontrol’s Hall of Fame & Monthly Leader Boards. Bugcrowd pays researchers 100% of the bounties earned to ensure proper incentives within the ecosystem.
What is the contractual relationship between the customer and the researcher?
The researchers are non-employee independent contractors of Bugcrowd and have no contractual relationship with a customer. The terms that govern Bugcrowd’s relationship with the security researchers are the “Standard Disclosure Terms” found at https://www.bugcrowd.com/standard-disclosure-terms/.
Are the bugs found by the researcher community kept confidential?
The default provision of all Bug Bounty Programs is that all discovered vulnerabilities must be kept confidential. Customers may choose to allow public disclosure of vulnerabilities of general interest following mitigation at customer’s discretion, and are encouraged to consider this option but are not compelled to do so.
Does Bugcrowd comply with ISO standards for vulnerability disclosure?
Yes. Bugcrowd adheres to ISO 27001, ISO 29147 and ISO 30111. In accordance with ISO 29147 – as it relates to disclosure and handling of researcher submissions – Bugcrowd has an established process through which vulnerabilities are disclosed by a researcher, reviewed and triaged by our Application Security Testing team, and then presented to the customer with the appropriate resolution information. With regards to ISO 30111, the remediation advice the Bugcrowd provides on triaged findings will supply your team with the information necessary to begin resolving vulnerabilities that have been both triaged and validated.