[OWASP-Columbia] Bug bounties and crowdsourcing

William Scalf wscalf at gmail.com
Mon Mar 7 19:23:52 UTC 2016


Not sure if this is the right place for this, but it seems as apt as any,
so here goes:

The company I work for is very small, and the security team is
basically..me..and we're looking for a way to get more penetration testing
in than I have time for. We've been looking at various automated tools for
dynamic application scanning, but we keep running into a set of problems
with them:
* They have difficulty crawling our AJAX-heavy websites
* They have difficulty understanding multi-step processes
* They cannot identify business logic errors/missing access control measures

With that in mind, we're considering some other options, like a bug bounty
program. There are a number of crowdsourcing websites (like hackerone.com
and bugcrowd.com) that have ready-made infrastructure for this purpose and
handle a lot of the legwork for you. ..And, of course, the most exciting
part is that you (theoretically) are only paying for confirmed flaws and
not for all of the effort that gets thrown at finding them. On the surface,
this *seems* like a good fit for us, but it's a relatively new thing and we
have no experience with it.

..We also have a bit of a rub in that our web software isn't fundamentally
public - it's mostly installed on-premises, and within the organization
there's some concern over giving blanket access to potential competitors
who could gain insights into what our product does and how it looks by
participating in the bug bounty program. I think we can work around that,
but it is a concern.

So- do any of you folks have experience with a similar sort of program? Is
there a particular platform you'd recommend? And are there any particular
gotchas we should look out for as we explore our options?

(Also- is there some obvious way to get some cost-effective penetration
testing that we're just overlooking?)

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-columbia/attachments/20160307/2d91aa42/attachment.html>


More information about the OWASP-Columbia mailing list