Crowdsourcing a penetration test through Bugcrowd's Flex model offers four main benefits: 1) You pay only for valid vulnerabilities found rather than researcher time spent; 2) Engaging many skilled researchers across different specialties increases the likelihood of finding issues; 3) The reward structure encourages in-depth testing by incentivizing top submissions; 4) This results in significantly more testing effort within similar timeframes as a traditional penetration test.
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
4 Reasons to Crowdsource Your Pen Test
1. 4 REASONS TO CROWDSOURCE YOUR PENETRATION TEST
The premier platform for crowdsourced cybersecurity.
casey@bugcrowd.com
jcran@bugcrowd.com
2. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
The Problem
Security is not a
fair fight.
How do you level
your playing field?
HACKED
HACKED
HACKED HACKED
HACKED
HACKED
3. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
About your presenters
@caseyjohnellis
Founder and CEO, Bugcrowd
Recovering pentester turned
solution architect turned sales guy
turned entrepreneur
Founder and CEO of Bugcrowd
@jcran
VP Delivery, Bugcrowd
Bugcrowd researcher turned
operations lead
Formerly @Rapid7, @Metasploit,
@PwnieExpress
4. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Bugcrowd Products
Crowdsourced security to fit your needs
Free
Responsible Disclosure
Capped cost
Ad-hoc or continuous
Elite tier researchers
Flex Bounty
Continuous testing
Monthly fee + transaction fee
Bug Bounty
5. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
What is Flex?
• A bug bounty in the format of a penetration test
• Typically a 2 week, fixed cost, fixed timeline project
• Private (vetted researchers) or open
• Bugcrowd does vulnerability analysis
• Deliverable:
• Report with overview and verified vulnerabilities
• Access to platform and researchers
6. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Use cases
• A more effective web, mobile and/or IOT penetration test
• Lots of effort in a short timeframe
• Ideal for short testing windows
• Rapid deployment testing
• New products or features, supplier due diligence,
acquisitions, etc
• Precursor to a public bug bounty program (i.e. what is my
*real* security posture)
7. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
How does it work?
• Program Setup
• Program Kickoff and Invitations
• Program Runs [2 weeks on average]
• Analysis [96 hours on average]
• Report Delivery and Access
8. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
9. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
10. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
4 Reasons to Crowdsource Your
Penetration Test
• Pay for results not effort
• Engage diverse skill-sets
• A Reward model that encourages depth and breadth
• Higher total effort
11. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Pay for results not effort
• 193 Average number of submissions per program
• 45 Average number of valid submissions
• $256 Average cost per bug (How much does it cost now?)
• Average Priority from 1 (showstopper) to 5 (won’t fix):
3.88
12. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Engage diverse skill-sets
• Vast array of specialties
• Web Application, Network, Mobile, Hardware
• Testing styles and patterns vary wildly
• Have questions? Engage the researchers at the end of
the program
13. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
A reward model that encourages
depth and breadth
• Top 3 issues get a significant percentage of the
reward pool
• All “unplaced” submissions get the remainder
• Sliding scale varies on the difficulty of the
application and prior testing results
14. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Higher total effort
• Up to 80 hours of effort in the first 8 hours
• At least 160 man-hours per bounty
• Activity depends on incentives
15. CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
Summary
• Cost effective, quick, high quality results
• Capped cost and capped timeline
• Great way to prepare for an ongoing bounty program
• Flex model incentivizes both breadth and depth