At Bugcrowd, we’ve long said that
managed bug bounty programs allow organizations of any size or stage
of security maturity to realize the benefits of a bug bounty
program. This is why we’ve provided managed programs from day one
and why I’m especially excited by today’s news. Today we are
recruiting for a Secret
customer program with a top
reward of $250K.
High rewards like this
one are a fairly new phenomenon for the industry, traditionally
reserved for tech giants. But we are beginning to see a shift. Just
a few months ago
1Password upped their
top reward to $100K.
Today’s announcement is yet another indicator that organizations are
seeing the value in identifying vulnerabilities early -- before
adversaries can take advantage of them.
However, high rewards aren’t a silver
bullet -- running a successful bug bounty program requires care,
feeding, and constant adjustment. Without an experienced team to
guide the process of adjusting payout ranges, building program
scopes and engaging researchers, self-run programs run the risk of
stalling out, losing researcher participation and confidence.
What is a
Private programs are
open to a select, vetted group of researchers while public ones are
open to the full breadth of the 60k+ crowd. This top secret program
is a hybrid approach. It allows the organization to recruit more top
talent -- security experts that specialize in the company’s unique
attack surface -- in a more controlled way. This means that while
not just anyone can “hack on” the program, anyone can apply to.
with experience with virtualization (VM breakout, cross instance
manipulation, exploitation of host components), Kernel and device
driver, firmware, and advanced application security are invited to
apply. Note that all participants will be required to undergo a
background check and sign an NDA prior to participating.
participating researchers will be invited to submit a report of
their efforts, what was attempted, ideas for potential compromise,
and any other relevant information (regardless of whether or not
they achieved the stated objectives). The top five reports at the
end of the program that show demonstrated effort and expertise will
be rewarded $10,000, as a level of compensation for work done.
This is an exciting day
for Bugcrowd, launching the largest advertised bounty on a
third-party platform; for the industry which continues to grow at a
rapid pace; and for the community brimming with talent and thriving
as they identify more, bigger bugs for a growing and diversifying
set of organizations.