Setting the Bar High for Bug Bounty Triage and Validation


  •  
  •  
  •  
  •  

Running a bug bounty program on your own is difficult. Imagine receiving hundreds of vulnerability submissions weekly, many of them unimportant, and many of them duplicates of known vulnerabilities. Once you weed through those submissions, you’ll have to respond if needed, prioritize impact, and determine what it’s worth. Then you’ll have to file a ticket to make sure it gets fixed and the most fun part of all, pay the researcher, which as you can imagine, may get tricky.

The process of managing vulnerability reports can be painfully time-consuming. Organizations hardly have the time or resources to triage and validate incoming vulnerability findings from outside researchers. We recognized this pain point back in 2012 and have remained committed to providing our customers with full-scale bug bounty support and services since day one. This means we not only provide a platform, we provide full-service management, including expert technical review and escalation of valid vulnerability submissions. In addition, our teams provide the facilitation of researcher communications crucial for detailed reports, deeper context, and high engagement.

Researchers put a lot of time and effort into their submissions. For this reason, we feel that every submission deserves full attention and a quick response. That’s why each and every vulnerability submitted through our platform is reviewed by one of our application security engineers. Our response time is unsurpassed – recently we’ve seen the average time to first response for all submissions well under the 24-hour SLA we set for critical vulnerabilities.

Further to this our payouts are industry leading with more than 80% of all valid vulnerabilities rewarded within 1 minute of acceptance.

We set the bar high for bug bounty triage and validation providing nearly all signal (94.76% to be exact) for customers across all of our managed programs in 2017.

Our in-house team facilitates hundreds of managed bug bounties with tens of thousands of vulnerability reports, escalating high-priority issues within hours and averaging triage within a business day.

Vulnerability submissions are on the rise. Nearly 70% of all submissions were received in the last year. With well over half of these submissions marked as valid and a 25% increase in critical submission, we’re not only seeing a massive uptick in submissions but in submissions with high business impact.

Despite this, our team has decreased the first-touch response by 21% and decreased time to validate vulnerabilities by 11%. Quantity and quality are up, but support remains better than ever.

Our customers regularly tell us that they consider our Operations and Support teams partners. These teams add immense value to ensure the success of their bug bounty programs; not only in technical review but also with community curation and management around your bounty. Johnathan Hunt, VP, Information Security at Invision states, “For us, the managed approach reduced our required time and effort by at least 80% allowing us to not only focus on what matters the most, implementing the remediations, but also freeing up our security team to focus on other components of our security program.”

Bug bounty programs are trending upward, and the adoptions of these programs continue to grow at a breakneck pace. With the shortage of resources in the cybersecurity space, a managed crowdsourced application security testing approach is the most efficient and effective solution.

For more information about how our Security Operations can help customers, check out our Bug Bounty Management Solutions Brief.