Skip to content ↓ | Skip to navigation ↓

Bugcrowd, the innovator in crowdsourced security testing, has announced the public availability of the company’s Flex Bounty security testing program, allowing any company to leverage Bugcrowd’s worldwide network of over 9,500 security researchers for customized bug bounty programs.

“Flex bounties are the best way for organizations to dip their toes into the bug bounty pool, and they allow organizations to take advantage of crowdsourcing with a fixed budget and a fixed timeline,” said Jonathan Cran, VP of Services at Bugcrowd.
“Researchers love Flex bounties because they know there are going to be payouts. No more wondering if / when they’ll get paid. If you’ve ever run a penetration test, you’re familiar with a Flex bounty. The primary difference is that there’s a whole lot more researchers participating.”

This new approach to bug bounty programs, pioneered by Bugcrowd over the last year in conjunction with forward-thinking technology, e-commerce and financial services companies, has shown significant gains in cost savings and security results over traditional security testing programs. The Flex Bounty program adds to the responsible disclosure, managed bug bounty and hosted bug bounty programs already offered by the company.

“The Flex Bounty program was developed to address a need for companies who want to integrate bug bounty programs into their existing security testing process or try bug bounty programs on a trial basis,” said Casey Ellis, CEO and co-founder of Bugcrowd.

“With the Flex program, companies can engage in timed, scalable bug bounty programs with a selected group of Bugcrowd’s top researchers. This allows companies to maximize their security ROI by fixing vulnerability costs while still leveraging the largest pool of security testers in the world to find security vulnerabilities before the bad guys do.”

Bugcrowd also today announced the release of a new report on bug bounty best practices, sharing lessons learned from the 60 Flex Bounty programs the company has conducted to-date. The 2014 Flex Bounty Program Efficiency Report is an industry-first look at the economics and best practices of timed bug bounty programs and provides a first look into the world of paid bug bounties for mobile and web applications.

Topics covered in the report include best practices for researcher compensation, average results for valid vs. invalid vulnerability submissions and the types of submissions most commonly uncovered by security testers.

Highlights from the report include:

  • Research shows that a bug bounty incentive structure, which rewards testers based on the severity of problem detected or creativity of tactics employed, yields the best results for customers.
  • Compared to traditional penetration testing, Flex Bounty programs can start instantly, engage more researchers per test, identify vulnerabilities more quickly and cost significantly less.
  • Cross-site scripting vulnerabilities were the most common (32 percent) of all vulnerabilities reported.
  • On average, each Flex Bounty program yielded 193 total vulnerability report submissions, including 45 valid and in-scope vulnerability report submissions.
  • It is estimated that the crowd devoted an average of 163 man-hours to each Flex Bounty program, based on the number of vulnerability reports submitted.
  • The report details the first-ever model to ensure that researchers are compensated for all valid vulnerability report submissions, while still fixing the overall cost of each Flex Bounty program.

Read More Here…