The premier platform for crowdsourced cybersecurity.

!
!
5 TIP S FO R A S U CC ES S FU L B UG B OUNTY
casey@bugcrowd.com
jcran@bugcrowd.com

the problem
Without
crowdsourcing,
security is not a fair
fight.

HACKED

HACKED

HACKED

HACKED

HACKED

HACKED

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

about your presenters

@caseyjohnellis

@jcran

Founder and CEO, Bugcrowd

VP Delivery, Bugcrowd

Recovering pentester turned

solution architect turned sales guy
turned entrepreneur

Bugcrowd bounty hunter turned

Bugcrowd employee.

Founder and CEO of Bugcrowd

Former positions with @Rapid7,

@Metasploit, @PwnieExpress

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Why arent you running one already?

I dont have resources now, let alone to do this.
Crowdcontrol was built to maximize the efficiency of a bug bounty, and we a triage team of 8 people.
I cant cap my spend.
Bugcrowd Flex lets you run a point in time or ongoing bug bounty with a capped cost.
I wont be able to pause or stop the program if I ever need to.
We can route researcher traffic through the Crowdcontrol Sandbox for total control.
Payments to all those countries would be a nightmare.
It totally is. Thats why we got good at it, so you dont have to.
I wont be able to tell whether its bounty traffic or an actual attack.
The Crowdcontrol Sandbox gives a single source IP, so you can.
I wont know who these people are.
Bugcrowds Elite tier have proven track record on public bounties, and we vet them into that tier.
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.

bug bounties are awesome,

but hard.

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

bugcrowd at Work
Crowdsourced security to fit your needs

Responsible Disclosure

Flex Bounty
Capped cost

Free

Ad-hoc or continuous
Elite tier researchers

Bug Bounty

Continuous testing
Monthly fee + transaction fee
CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.

DOES IT WORK?
Traditional
penetration test

Bugcrowd Flex

Cost

$20,000

$20,000

# of researchers

349

Manhours

80

80 in the first 8
elapsed hours

Vulnerabilities

38

P1 issues

7
!

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

the one mistake everyone makes

People assume that 80% of the work will go into dealing with the
new vulnerabilities theyve found out about.

80% of the work goes into dealing with the people.

If you dont factor this into your planning, your program will fail.

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

5 Keys to a successful program

Prepare ahead of time

Align expectations

Communicate early and often

If you make a change, reward the submitter

Respect the researcher

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Preparation

A bug bounty will affect your entire organization

Start with low rewards

Accidental bug bounties are the worst

Running out of budget on the program is no fun

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Align expectations

A clear program brief is your first line of communication

Proactively communicate what youd like to see

When processing submissions, you should be able to point to

prior communication when rejecting or rewarding a submission

The only time youll have issues is if an expectation goes unmet

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Communicate early and often

This is the mistake everyone makes:!

Bug bounties are all about managing the researcher

relationship!

Let the researcher know what to expect. Stick to your word

In the absence of communication, suspicion is king

Its not hard, but requires diligence

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Make a change, reward the

submitter

Touch the code, pay the bug

This has become a community norm

Its a binary yes / no

Even if its out of scope

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Respect the researcher

The researcher is taking a significant risk

Many are inexperienced, some are not

Treat everyone the same. Even the researchers that dont

provide valuable submissions

Close the loop on all incoming submissions

CONFIDENTIAL. DO NOT DISTRIBUTE.

All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Questions?

Want a demo?
Ping us!!!

@caseyjohnellis and @jcran

https://bugcrowd.com
casey@bugcrowd.com
jcran@bugcrowd.com