Download as PDF, PPTX
![CONFIDENTIAL. DO NOT DISTRIBUTE.
All content (c) Bugcrowd Inc, 2014 - All rights reserved.
How does it work?
• Program Setup
• Program Kickoff and Invitations
• Program Runs [2 weeks on average]
• Analysis [96 hours on average]
• Report Delivery and Access](https://image.slidesharecdn.com/4reasonstocrowdsourceyourpentest-150802181952-lva1-app6891/75/4-Reasons-to-Crowdsource-Your-Pen-Test-7-2048.jpg)
Uploaded bybugcrowd
4 Reasons to Crowdsource Your Pen Test
Crowdsourcing a penetration test through Bugcrowd's Flex model offers four main benefits: 1) You pay only for valid vulnerabilities found rather than researcher time spent; 2) Engaging many skilled researchers across different specialties increases the likelihood of finding issues; 3) The reward structure encourages in-depth testing by incentivizing top submissions; 4) This results in significantly more testing effort within similar timeframes as a traditional penetration test.
More Related Content
![[Webinar] The Art & Value of Bug Bounty Programs](https://cdn.slidesharecdn.com/ss_thumbnails/bugcrowdartofbugbountywebinaroutlinefinalmay201-150521164931-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
![Build or Buy: The Barracuda Bug Bounty Story [Webinar]](https://cdn.slidesharecdn.com/ss_thumbnails/barracudawebinarslidesv2-150625231451-lva1-app6892-thumbnail.jpg?width=640&height=640&fit=bounds)
![[Webinar] Building a Product Security Incident Response Team: Learnings from ...](https://cdn.slidesharecdn.com/ss_thumbnails/us-16-price-building-a-product-security-incident-response-team-learnings-from-the-hivemind-160812153709-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to 4 Reasons to Crowdsource Your Pen Test
![Bug Bounty Course in Delhi, India [2025].pdf](https://cdn.slidesharecdn.com/ss_thumbnails/bugbountycourseindelhiindia2025-250619112835-1a2f2ce3-thumbnail.jpg?width=640&height=640&fit=bounds)
4 Reasons to Crowdsource Your Pen Test
- 1. 4 REASONS TOCROWDSOURCE YOUR PENETRATION TEST The premier platform for crowdsourced cybersecurity. casey@bugcrowd.com jcran@bugcrowd.com
- 2. All content (c)Bugcrowd Inc, 2014 - All rights reserved. The Problem Security is not a fair fight. How do you level your playing field? HACKED HACKED HACKED HACKED HACKED HACKED
- 3. All content (c)Bugcrowd Inc, 2014 - All rights reserved. About your presenters @caseyjohnellis Founder and CEO, Bugcrowd Recovering pentester turned solution architect turned sales guy turned entrepreneur Founder and CEO of Bugcrowd @jcran VP Delivery, Bugcrowd Bugcrowd researcher turned operations lead Formerly @Rapid7, @Metasploit, @PwnieExpress
- 4. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Bugcrowd Products Crowdsourced security to fit your needs Free Responsible Disclosure Capped cost Ad-hoc or continuous Elite tier researchers Flex Bounty Continuous testing Monthly fee + transaction fee Bug Bounty
- 5. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. What is Flex? • A bug bounty in the format of a penetration test • Typically a 2 week, fixed cost, fixed timeline project • Private (vetted researchers) or open • Bugcrowd does vulnerability analysis • Deliverable: • Report with overview and verified vulnerabilities • Access to platform and researchers
- 6. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Use cases • A more effective web, mobile and/or IOT penetration test • Lots of effort in a short timeframe • Ideal for short testing windows • Rapid deployment testing • New products or features, supplier due diligence, acquisitions, etc • Precursor to a public bug bounty program (i.e. what is my *real* security posture)
- 7. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. How does it work? • Program Setup • Program Kickoff and Invitations • Program Runs [2 weeks on average] • Analysis [96 hours on average] • Report Delivery and Access
- 8. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
- 9. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
- 10. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. 4 Reasons to Crowdsource Your Penetration Test • Pay for results not effort • Engage diverse skill-sets • A Reward model that encourages depth and breadth • Higher total effort
- 11. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Pay for results not effort • 193 Average number of submissions per program • 45 Average number of valid submissions • $256 Average cost per bug (How much does it cost now?) • Average Priority from 1 (showstopper) to 5 (won’t fix): 3.88
- 12. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Engage diverse skill-sets • Vast array of specialties • Web Application, Network, Mobile, Hardware • Testing styles and patterns vary wildly • Have questions? Engage the researchers at the end of the program
- 13. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. A reward model that encourages depth and breadth • Top 3 issues get a significant percentage of the reward pool • All “unplaced” submissions get the remainder • Sliding scale varies on the difficulty of the application and prior testing results
- 14. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Higher total effort • Up to 80 hours of effort in the first 8 hours • At least 160 man-hours per bounty • Activity depends on incentives
- 15. CONFIDENTIAL. DO NOTDISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Summary • Cost effective, quick, high quality results • Capped cost and capped timeline • Great way to prepare for an ongoing bounty program • Flex model incentivizes both breadth and depth
- 16.
- 17.