At Bugcrowd, we have more first-time Program Owners than ever trying out crowdsourced security economics through our Vulnerability Disclosure Programs and hundreds who have transitioned to on-demand and ongoing Bug Bounty Programs.
We regularly ask Researchers and Program Owners for feedback on these programs; this feedback shapes our recommendations for what a bug is worth and the Vulnerability Rating Taxonomy and is integrated directly into our program models.
As a Researcher, we want to ensure you can make informed decisions about which programs best suit your preferences. It is important to note that all original and non-duplicate submissions are rewarded(whether cash or kudos only) based on their criticality, or “priority.”
Bugcrowd supports two program models: Vulnerability Disclosure Programs and Bug Bounty Programs.
A Vulnerability Disclosure Program may take one of three formats:
What is the impact to your Researcher experience?
From this point, the internal review process is the same as other Bugcrowd managed programs: the internal Security Operations team handles the program’s triage and facilitates any necessary communication between the Researcher and Program Owners about the submission.
****Important reward details for the Vulnerability Disclosure model:
Bug Bounty Programs vary based on a customer’s business requirements. Some are run as an on-demand, time-boxed vulnerability testing model. Others are run as an ongoing vulnerability testing model, allowing researchers to test and submit vulnerability reports at any time.
A typical on-demand Bug Bounty Programs run for up to two-weeks with a predetermined reward pool. Bugcrowd handles the program’s triage and facilitates any necessary communication between the Researcher and Program Owners about the findings.
What is the impact to you as a Researcher?
With an on-demand Bug Bounty Program, the exact amounts for vulnerabilities fall within a minimum and maximum range (as outlined below), and are dependent on the overall volume/severity of vulnerabilities found by participating researchers.
Important reward details for an on-demand Bug Bounty Program:
This model ensures that once an on-demand Bug Bounty Program ends and the submissions are reviewed by the Program Owner, you are paid out ASAP (payday is always Wednesday!)
An ongoing Bug Bounty Program typically does not have a specified end date and the reward pool is refilled at regular intervals. Bugcrowd handles the program’s triage and facilitates any necessary communication between the Researcher and Program Owners about the findings.
Important reward details for an ongoing Bug Bounty Program:
Rewards will be assigned at any time after a submission has been accepted and moved to the Unresolved state. Review the bounty brief as many organizations will specify when rewards are assigned; some may not assign a reward until the issue is fixed and moved to a Resolved state.
This blog was brought to you by our partner, BugCrowd. From the outback to the valley, Bugcrowd is paving the way for crowdsourced security. They are a valued sponsor of our annual Camp Secure Sense 2018 and will be presenting on Day 1 at 11:40 am.
Head on over to the registration page to discover other thought leadership presentations exclusive to Camp Secure Sense here.
With only 21 days until Camp, 8 more days to register and a few spots open for InfoSec leaders, we encourage you to save your spot ASAP.