Bugcrowd Blog

Why a DIY Bug Bounty is a Bad Idea

Posted by Ryan Black on Jun 8, 2017 1:05:10 PM

The management of vulnerability reports can be painfully time-consuming. Organizations hardly have the time or resources to triage and validate incoming vulnerability findings from outside researchers. We recognized the need to ease this pain in 2012 and since then, have provided our customers with full-scale bug bounty support and services, of which include expert technical review and escalation of valid vulnerability submissions. In addition, our teams provide the facilitation of researcher communications crucial for detailed reports, deeper context, and high engagement.

Who we are

Our globally-distributed team of Application Security Engineers (ASEs) have broad industry knowledge honed through past experiences at both big and boutique consulting firms alike; some of which are former whitehat hackers, several from our platform, and understand the researcher community first-hand. We believe a strong security background coupled with real world SDLC and enterprise security experience make for a well-rounded team of experts. Managed bug bounties, and how to ensure your success with them, are not new to us. This same seasoned team also leads community efforts like Bugcrowd’s open source Vulnerability Rating Taxonomy (VRT).

How we work

In addition to the Researcher Community, our ASEs interface with various internal customer stakeholders to gain direct insight and deep understanding of our customer’s technology stack, vested teams, and security posture. We believe it’s vital to “speak to our audience” and have found success in various degrees of customer analyst collaboration in the facilitation and technical review of submissions. This interaction is fine-tuned based on our customer’s needs and, while we encourage direct collaboration with researchers, we also support a more intermediary approach both for technical review and rewards. As soon as we bring you on board, our team is here to help you every step of the way.

Why this is important

With the prodigious shortage of resources in the cybersecurity space, a managed crowdsourced application security testing approach is the most efficient and affordable solution. Bug bounty programs are trending upward, and the adoptions of these programs continue to grow at a rapid pace.

We’ve experienced a 67% increase in vulnerability submissions and have had a 77% increase in bug bounty programs on our platform in the past year alone. Every program on Bugcrowd is managed, and with this high rate of growth, we’ve experienced 224% increase in collaborative interactions by our ASE team. Despite the increase in submissions and bounty programs, our team has decreased the first-touch response by 21% and decreased time to validate vulnerabilities by 11%.

Ryan Blog Stats.png

We believe clear, prompt communication and program expectations critical to fostering and maintaining positive researcher engagement. Our key performance indicators for bounty operations reflect first-touch, follow-up, and communication sampling. Our in-house team facilitates hundreds of managed bug bounties with tens of thousands of vulnerability reports, escalating high-priority issues within hours and averaging triage within a business day. As close partners for your team, our Operations and Support teams add immense value to ensure the success of running a bug bounty program; not only in technical review but also with community curation and management around your bounty. 

See how our team's depth and breadth of experience paired with our enterprise-class platform Crowdcontrol™ can augment your security program.

Watch Demo Now

Watch Demo

Ryan Black

Written by Ryan Black

Director of Technical Operations at Bugcrowd.