Historically, the first bug bounty programs welcomed any and all security vulnerability feedback from the security community as a whole, typically through a simple web page. In exchange, early bug bounty programs gave thanks, SWAG, and more recently, cash. Due to the 'open-to-everyone' nature of how the first bug bounty programs started, the term “bug bounty” has held a connotation of “the wild west of security.”
Today, however, bug bounties have become much more nuanced, and Bugcrowd’s crowd of security researchers can be utilized in a variety of ways to help organizations secure their products. While Bugcrowd certainly offers and advocates for public bug bounty programs, we have delivered a variety of other bug bounty solutions since our start in 2013. We deliver our crowd of thousands of hackers to organizations with a variety of different needs and goals through 3 distinct types bug of bounty solutions:
Public Ongoing Programs
Our public ongoing bounty programs are 'traditional' bug bounty programs that give researchers all over the world a safe, easy, and coordinated place to report vulnerabilities found in an organization's applications on an ongoing basis.
What Are Public Programs Useful For?
Running a public bounty program is the perfect way to incentivize–with cash or recognition–the continuous testing of main web properties, self-sign up applications, or anything already publicly accessible. If feasible, all organizations should aspire to have some form of a public vulnerability disclosure channel as an application security best practice to provide security researchers a consolidated and accessible place for vulnerability reporting.
What Type of Crowd?
By running a public ongoing program with Bugcrowd, organizations can engage the collective creativity of 36,000 security researchers. Anyone who signs up as a researcher on Bugcrowd's platform has access to submit vulnerabilities to public programs.
Private Ongoing Program
Private ongoing bounty programs leverage the marketplace model of a public ongoing program with a limited talent pool. Only the most trusted and skilled researchers that have been vetted by Bugcrowd can participate in these programs, giving organizations more control over how their applications are tested, and is often the first step in working towards a public ongoing program.
What Are Private Programs Useful For?
A private program is a great solution to incentivize the continuous testing of applications that require specialized skill sets or that are harder to access. Applications that are behind paywalls or require specialized credentials, as well as hardware or IoT devices are great examples of targets for which a private program may be more fitting.
What Type of Crowd?
Researchers participating in private programs must be explicitly invited to participate in the program, and have earned access by proving themselves in public programs. Researchers are ranked on a few key measurements; quality, impact, activity, and trust.
On-Demand bug bounties are project-based application security tests that utilize Bugcrowd's private researcher crowd. They provide organizations with the ability to run a time-boxed ‘crowdsourced penetration test.' They typically last two weeks and are a great way to engage the crowd in a time-boxed setting and with a fixed cost.
What Are On-Demand Programs Useful For Testing?
This bug bounty solution is great for testing new products, major releases, new features, or anything that needs a quick test for up to two weeks. They are also a great solution for organizations looking to improve upon or replace their recurring penetration tests.
What Type of Crowd?
As in private programs, on-demand programs utilize an invite-only crowd of security researchers that have been vetted by Bugcrowd. Furthermore, on-demand programs often utilize a very specific subset of Bugcrowd's private researchers to meet program parameters, needs, and goals.
At Bugcrowd, many of our customers use all three of our bug bounty solutions simultaneously, while others experience great success just utilizing one solution at a time. All organizations face different challenges, have varied resources at hand, and are working towards different business objectives. No bug bounty is alike, which is why we encourage all organizations to tap into our experience and expertise so we can make the best recommendation of which bug bounty solution(s) are the best fit.
To learn more about the evolution of bug bounties, the uses for each bug bounty solution, and how our customers are leveraging the power of the crowd, tune into our upcoming webcast: