Bugcrowd Announces New Flex Bounty(TM) Security Testing Program
Company Also Issues First-Ever Report on the Economics of Bug Bounties
SAN FRANCISCO, June 25, 2014 /PRNewswire/ — Bugcrowd, the innovator in crowdsourced security testing, today announced the public availability of the company’s Flex Bounty(TM) security testing program, allowing any company to leverage Bugcrowd’s worldwide network of over 9,500 security researchers for customized bug bounty programs. This new approach to bug bounty programs, pioneered by Bugcrowd over the last year in conjunction with forward-thinking technology, e-commerce and financial services companies, has shown significant gains in cost savings and security results over traditional security testing programs. The Flex Bounty program adds to the responsible disclosure, managed bug bounty and hosted bug bounty programs already offered by the company.
“The Flex Bounty program was developed to address a need for companies who want to integrate bug bounty programs into their existing security testing process or try bug bounty programs on a trial basis,” said Casey Ellis, CEO and co-founder of Bugcrowd. “With the Flex program, companies can engage in timed, scalable bug bounty programs with a select group of Bugcrowd’s top researchers. This allows companies to maximize their security ROI by fixing vulnerability costs while still leveraging the largest pool of security testers in the world to find security vulnerabilities before the bad guys do.”
Bugcrowd also today announced the release of a new report on bug bounty best practices, sharing lessons learned from the 60 Flex Bounty programs the company has conducted to-date. The 2014 Flex Bounty Program Efficiency Report is an industry-first look at the economics and best practices of timed bug bounty programs and provides a first look into the world of paid bug bounties for mobile and web applications.
Topics covered in the report include best practices for researcher compensation, average results for valid vs. invalid vulnerability submissions and the types of submissions most commonly uncovered by security testers.
Highlights from the report include:
-- Research shows that a bug bounty incentive structure, which rewards testers based on the severity of problem detected or creativity of tactics employed, yields the best results for customers. -- Compared to traditional penetration testing, Flex Bounty programs can start instantly, engage more researchers per test, identify vulnerabilities more quickly and cost significantly less. -- Cross-site scripting vulnerabilities were the most common (32 percent) of all vulnerabilities reported. -- On average, each Flex Bounty program yielded 193 total vulnerability report submissions, including 45 valid and in-scope vulnerability report submissions. -- It is estimated that the crowd devoted an average of 163 man-hours to each Flex Bounty program, based on the number of vulnerability reports submitted. -- The report details the first-ever model to ensure that researchers are compensated for all valid vulnerability report submissions, while still fixing the overall cost of each Flex Bounty program.
Bugcrowd, the innovator in crowdsourced security testing for the enterprise, was founded in 2012 by a team of security and software development experts who saw the opportunity to level the playing field in cybersecurity. Bugcrowd’s revolutionary approach to cybersecurity combines a proprietary vulnerability reporting platform with the largest crowd of security researchers on the planet. Cost-effective and far faster than standard security testing programs, Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Based in San Francisco, Bugcrowd is backed by Icon Ventures, Paladin Capital and Square Peg Ventures. To learn more about Bugcrowd, visit www.bugcrowd.com or check out the Bugcrowd blog.
Bugcrowd is a trademark of Bugcrowd, Inc.