Bugcrowd Blog

Bugcrowd in 2016: Transparency, Education, and Quality

Posted by Payton O'Neal on Dec 20, 2016 9:03:00 AM

It goes without saying that it has been a HUGE year for appsec. We’ve seen yet another record breaking year of breaches, we had the largest breach in recorded history–Yahoo, and we also witnessed the largest DDoS attack as far as we know at 1.2TB–Mirai. 

Through it all, bug bounties have been at the forefront of many of these issues as must-have solutions for enterprise organizations taking their appsec programs to the next level. 

Although the bug bounty model has been around for a while–it celebrated its 21st birthday this year–it has only come into its own in the past few years. This year, bug bounty adoption has skyrocketed, and throughout the year, we have taken it upon ourselves to both support and grow the foundation of this high-potential economy with our managed bug bounty solutions.

As a company and as an economy, we’ve focused on three main things in 2016–transparency, education, and growth towards our fundamental goals...

  • Invite and encourage more of the world's leading companies to embrace the creativity, power, and passion of the many thousands of white-hats in the world
  • Leverage these relationships to create better security feedback between people who build and defend, and those whose skill is to think like an attacker
  • Increase the quality and volume of submissions, to increase liquidity to the white-hat hacker community and see more budding hackers-in-waiting enter the space

Transparency

At the beginning of the year, we made a decision to put some stakes in the ground, educate the market about how to run a proper bug bounty program, what’s involved and what the metrics of success are.

What have we done towards that goal?

  • We drew a line in the sand when it comes to the question "What's a bug worth?" setting the first ever market rate of bugs based on priority and a companies' security maturity with our Defensive Vulnerability Pricing Model.
  • In that same vein, we also shared our internally developed Vulnerability Rating Taxonomy to show the technical impact and priority of specific bug types and classes.
  • We released our 2nd annual State of Bug Bounty report, based on data and trends from companies running bug bounty programs and researchers participating in them.

Education

For this economy to be successful, it’s our job to educate the market and align expectations between two groups of people that historically don’t get along. The increased adoption and accessibility of bug bounty programs, especially among enterprise organizations, goes hand in hand with improved exposure and positive feedback. That having been said, misconceptions about bug bounty programs and the bug bounty model remain.

How have we educated the market?

  • With our Anatomy of a Bounty Brief, we promoted clear communication and expectation setting between hackers and companies by showing the influence of bounty briefs as informal contracts and setting practical steps and guidelines.
  • Our recent guide, the 7 Myths of Bug Bounties addresses some of the top misconceptions individuals have about bug bounty programs and the model itself, including riskiness, costliness, and difficulty.
  • This year we also released our first ever report on the bug hunting community. Learn more about the community as a whole, as well as an inside look into what bug hunters are motivated by in Inside the Mind of a Hacker.
  • Many of the features we released and improved upon this year also help make communication easier between researchers and organizations, as well as articulate value and priorities of each party more clearly. Our Insights Dashboard gives program owners powerful insights into the health of their program; Program Updates keep researchers on the same page as program owners, and our File Attachment Update allows researchers to attach video files to explain better how a bug was found and more.

Quality

As one of a handful of players in an up-and-coming space that is rapidly maturing and gaining traction, we’ve been a key factor in the stabilization and maturation of the bug bounty economy. In 2016 we're beginning to see that stabilization, as well as a shift in perception–from novelty to conventional wisdom. This has occurred through growth and adoption, but also through proof of quality–quality of hackers, quality of results, quality of programs...

  • Our bug bounty solutions have supported this growth, along with our powerful enterprise features such as our crowd engine, triage engine, role-based access, integrations and reporting functionality.
  • Throughout this year we focused on cultivating more skills from within our community with various quarterly incentive programs (mobile, thick client). We've also participated various targeted seminars such as speaking alongside Facebook, Microsoft, Google and Mozilla at Nullcon for the first ever "Bounty Craft" Track, which focused on increasing quality reports coming out of the booming Indian hacker community
  • We also grew and supported our customers running programs. This year we saw unprecedented adoption more traditional industries such as Financial Services, Automotive, and much more. Even the Government entered the bug bounty sphere.
Congrats to the organizations that launched public programs this year! Here are some of our customers who launched public programs this year... 

2016-launches.jpg

With the help of our customers and our community, we have had a huge year of growth. We've almost doubled our team, as well as raised more money in our series B funding to continue connecting the world's innovative companies to the top cybersecurity talent in the world. Read more about our 2016 growth in our recent press release.

Thank you to everyone who has made this year so phenomenal. We're looking forward to what 2017 brings. 

 

Bugcrowd News
Payton O'Neal

Written by Payton O'Neal