General

  • What is a Bug Bounty program?

    A bug bounty is a monetary reward a company provides to someone who reports a “bug” or software vulnerability. Rewards can range from hundreds to thousands of dollars depending on the impact and severity of the vulnerability. Bugcrowd pays researchers 100% of the bounties earned to ensure proper incentives within the ecosystem.

  • What is a vulnerability disclosure program?

    Vulnerability disclosure programs give security researchers a way to report bugs and provide organizations a way to find and reward these submissions. Most often these rewards are kudos or points.

  • What’s the difference between public and private programs?

    Private programs offer organizations the opportunity to utilize the power of crowdsourced security vulnerability testing –volume of testers, diversity of skill and perspective and a competitive environment–for more focused testing in an invite only program. While public programs are open to all researchers, private programs are limited to vetted and trusted researchers, giving organizations the power to better control the scope of what is tested, as well as how it’s tested.

  • How do bug bounties fit with traditional security assessment methods?

    We believe that a layered approach to security is best. For many organizations, running a variety of vulnerability scanners and penetration tests are a general security best practice. It’s also no secret that, no matter how advanced, automation only goes so far–it finds only what it knows. Penetration tests have a place in many security programs but are limited in perspective and in time and effort. Bug bounties compliment any mature security program, filling the gap left by scanners, and exponentially improving the probability of finding results.

Crowd Basics

  • What types of things can your crowd test?

    We can test anything programmed with code. Bugcrowd researchers love testing mobile apps, web apps, hardware, iOT, and everything in between!

  • How do you screen security researchers?

    As researchers submit vulnerabilities into public programs, Bugcrowd reviews these researchers more deeply. Our points system also allows us to assess their skill sets and levels of trust. Only researchers that have proven their abilities via public programs get invited into private programs. Researchers from around the world may participate, except for researchers from countries the U.S. has issued export sanctions or other trade restrictions against (ex. North Korea, Iran).

  • Why would an organization invite hackers to break into their software?

    Bug bounty and vulnerability disclosure program have been proven to deliver excellent results in finding and fixing vulnerabilities. Bugcrowd’s programs find a P1 vulnerability on average every 13 hours. White hat hackers, or security researchers, are always looking for vulnerabilities, whether invited or not. By providing them with 1) a way to report these vulnerabilities 2) a reward for doing so, organizations can benefit from continuous testing, while paying only for results. Granting permission for security researcher to test software and systems is a great way to receive more vulnerability findings, giving your organization more knowledge and control, and ultimately reducing risk.

  • Are these hackers trustworthy?

    As researchers submit vulnerabilities into public programs Bugcrowd assess their skills and ranks their trust level, amongst other performance attributes. In order to be invited to private programs, researchers must prove their abilities and trustworthiness via public programs. Our curated crowd consists of researchers around the world may participate, with the exception of those from countries the U.S. has issued export sanctions or other trade restrictions against (ex. North Korea, Iran).

    In our crowd, we have some of the most talented security researchers in the world. Moreover, many of these researchers bug hunt on the side, maintaining full-time jobs as penetration testers, security engineers, developers. The bug bounty model leverages volume of skilled researchers to yield more, better results. For customers that require a more specific skill-sets, we run private programs with a curated, skills-vetted crowd. If a client has specific country specific requirements for researchers this can be assessed.

  • What happens if a researcher "goes rogue" and discloses a vulnerability publicly?

    In reality, incidents of public disclosure are extremely rare, and we actively work to prevent them. Our Standard Disclosure Terms outlines acceptable and unacceptable behavior. We closely monitor public researcher communications and activity, and researchers are penalized for not complying with this code. In the event of a public disclosure incident–although rare and usually unintended–our team reaches out to the crowd member to ask them to remove the public information and notify them of the consequences of unauthorized disclosure. We reserve the right to issue a warning to a researcher and/or revoke access to the Bugcrowd platform on a temporary or permanent basis depending on the severity of the violation. In the hundreds of programs we’ve run over the last four years, we’ve very rarely had to do this.

  • What happens when my bounty pool is running low?

    Our experienced management team will work with you to evaluate and adjust bounty pool as needed.

Federal

  • Does Bugcrowd comply with ISO standards for vulnerability disclosure?

    Yes. Bugcrowd adheres to ISO 27001, ISO 29147 and ISO 30111. In accordance with ISO 29147 – as it relates to disclosure and handling of researcher submissions – Bugcrowd has an established process through which vulnerabilities are disclosed by a researcher, reviewed and triaged by our Application Security Testing team, and then presented to the customer with the appropriate resolution information. With regards to ISO 30111, the remediation advice the Bugcrowd provides on triaged findings will supply your team with the information necessary to begin resolving vulnerabilities that have been both triaged and validated.