Bugcrowd Blog

Case Study: Aruba's Private Bug Bounty Program

Posted by Payton O'Neal on Dec 1, 2016 8:01:00 AM
After over two years of running an outstanding bug bounty program with Bugcrowd, we’d like to give some recognition to one of our longest standing and committed customers–Aruba Networks.
 
Since 2014, Aruba has successfully leveraged Bugcrowd’s most skilled and trusted researchers through a private bug bounty program for their web applications and hardware devices. Download the Aruba Case Study to learn more about their success.

 

Why a bug bounty program for Aruba?

As Aruba scaled their operations, they knew that product and application security needed to be prioritized. They brought on an all-star security team, carried out multiple expensive third-party testing engagements and even hired some independent security researchers to freelance. Even still, they needed more eyes looking at their attack surface and turned to Bugcrowd to augment their existing efforts.
 
aruba bug bounty results.png
 
Bugcrowd worked closely with Aruba’s security team to define the testing requirements and scope of their needs. After evaluating their current testing capabilities and organizational goals, Aruba decided to harness the power of the bug bounty model through a more focused private bug bounty program. In case you’re not familiar with private programs, they are useful for organizations looking to leverage the crowdsourced model while restricting or focusing testing on specific areas. Only researchers who have proven their skill and trustworthiness can participate in private programs and testers are invited based on skill sets and testing requirements. 
 

Program results

With a private program, Aruba was able to tailor their testing pool based on specific skill sets, have more direct communication with a smaller group of testers, and harness the power of a public bug bounty program while retaining more control. After over two years of utilizing the crowd to test their products and applications, Aruba has positioned themselves as thought leaders in application security, and continue to gain traction in their program.
 
Below, you can see a timeline of their program, from their launch in 2014 to today. 
aruba-timeline.png
 
As you can see, in addition to running a private ongoing program, Aruba also ran a private On-Demand Program to focus testing on a particular area. Much like private ongoing programs, these programs utilize an invitation-only crowd of researchers for a pre-determined amount of time–usually two weeks. They are the perfect solution for testing new products, major releases, new features, or anything in need of a quick test for up to two weeks.
 
The value of Aruba’s program truly does lie within the results. Through their program, they have seen high-quality findings from their researchers–you can read their security advisories here
 
 

Learnings

Aruba was one of the first organizations to utilize a private bug bounty program to test hardware, and they have been recognized by the security research community for their commitment and innovation. In a recent article by CSO, one of their researchers, Duarte Silva, explains why he enjoys working with Aruba so much. Download the case study to get more insight from the other side–the researcher community. Because of its consistency and this kind of support from the community, the Aruba program has retained astounding traction over two years and has received over 500 submissions from researchers around the world. 
 
Aruba’s continued success is a great model for others looking to implement a bug bounty program to garner high-volume and high-value submissions findings. Their team is a pleasure to work with and their commitment to product security is inspiring.
 
Read the Case Study
 
 
 
Case Studies
Payton O'Neal

Written by Payton O'Neal