General

  • What is a Bug Bounty program?

    A bug bounty is a monetary reward a company provides to someone who reports a “bug” or software vulnerability. Rewards can range from hundreds to thousands of dollars depending on the impact and severity of the vulnerability.

  • What is a coordinated disclosure program?

    Coordinated disclosure programs give security researchers a way to report bugs and provide organizations a way to find and reward these submissions. Most often these rewards are kudos or points.

  • What’s the difference between public and private programs?

    Private programs offer organizations the opportunity to utilize the power of crowdsourced security vulnerability testing –volume of testers, diversity of skill and perspective and a competitive environment–for more focused testing in an invite only program. While public programs are open to all researchers, private programs are limited to vetted and trusted researchers, giving organizations the power to better control the scope of what is tested, as well as how it’s tested.

  • What is the difference between Ongoing and On-Demand programs?

    To give our customers a low-risk, low-cost bug bounty trial, Bugcrowd created our unique On-Demand Bounty Program. It is a fixed-cost two-week engagement that introduces you to all the benefits of crowdsourcing and is perfect for testing pre-release code, new features, or for compliance as a quarterly pen-test.

    Private programs offer organizations the opportunity to utilize the power of crowdsourced security vulnerability testing –volume of testers, diversity of skill and perspective and a competitive environment–for more focused testing in an invite only program. While public programs are open to all researchers, private programs are limited to vetted and trusted researchers, giving organizations the power to better control the scope of what is tested, as well as how it’s tested.

  • How do bug bounties fit with traditional security assessment methods?

    We believe that a layered approach to security is best. For many organizations, running a variety of vulnerability scanners and penetration tests are a general security best practice. It’s also no secret that, no matter how advanced, automation only goes so far–it finds only what it knows. Penetration tests have a place in many security programs but are limited in perspective and in time and effort. Bug bounties compliment any mature security program, filling the gap left by scanners, and exponentially improving the probability of finding results.

Crowd Basics

  • What types of things can your crowd test?

    We can test anything programmed with code. Bugcrowd researchers love testing mobile apps, web apps, hardware, iOT, and everything in between!

  • How do you screen security researchers?

    As researchers submit vulnerabilities into public programs, Bugcrowd reviews these researchers more deeply. Our points system also allows us to assess their skill sets and levels of trust. Only researchers that have proven their abilities via public programs get invited into private programs. Researchers from around the world may participate, except for researchers from countries the U.S. has issued export sanctions or other trade restrictions against (ex. North Korea, Iran).

  • Why would an organization invite hackers to break into their software?

    Bug bounty and vulnerability disclosure program have been proven to deliver excellent results in finding and fixing vulnerabilities. Bugcrowd’s programs find a P1 vulnerability on average every 13 hours. White hat hackers, or security researchers, are always looking for vulnerabilities, whether invited or not. By providing them with 1) a way to report these vulnerabilities 2) a reward for doing so, organizations can benefit from continuous testing, while paying only for results. Granting permission for security researcher to test software and systems is a great way to receive more vulnerability findings, giving your organization more knowledge and control, and ultimately reducing risk.

  • Are these hackers trustworthy?

    As researchers submit vulnerabilities into public programs Bugcrowd assess their skills and ranks their trust level, amongst other performance attributes. In order to be invited to private programs, researchers must prove their abilities and trustworthiness via public programs. Our curated crowd consists of researchers around the world may participate, with the exception of those from countries the U.S. has issued export sanctions or other trade restrictions against (ex. North Korea, Iran).

    In our crowd, we have some of the most talented security researchers in the world. Moreover, many of these researchers bug hunt on the side, maintaining full-time jobs as penetration testers, security engineers, developers. The bug bounty model leverages volume of skilled researchers to yield more, better results. For customers that require a more specific skill-sets, we run private programs with a curated, skills-vetted crowd. If a client has specific country specific requirements for researchers this can be assessed.

  • What happens if a researcher "goes rogue" and discloses a vulnerability publicly?

    In reality, incidents of public disclosure are extremely rare, and we actively work to prevent them. Our Standard Disclosure Terms outlines acceptable and unacceptable behavior. We closely monitor public researcher communications and activity, and researchers are penalized for not complying with this code. In the event of a public disclosure incident–although rare and usually unintended–our team reaches out to the crowd member to ask them to remove the public information and notify them of the consequences of unauthorized disclosure. We reserve the right to issue a warning to a researcher and/or revoke access to the Bugcrowd platform on a temporary or permanent basis depending on the severity of the violation. In the hundreds of programs we’ve run over the last four years, we’ve very rarely had to do this.