[OWASP-Columbia] Bug bounties and crowdsourcing

Frank Catucci frank.catucci at owasp.org
Mon Mar 7 20:43:42 UTC 2016

My 2 cents.

Bug Bounties, personally, I am usually a big fan. Bang for the buck for
both parties/sides. Disclaimer1: I make a few bucks on the side. One thing
I can say with platforms such as HackerOne and BugCrowd, is that the scope
is defined by you, but really must be accessible. As you mentioned, this
may be difficult in your case and I am not really familiar with a way to
get around this or work a program with that kind of scope. Perhaps you
could give a trial access somehow to researchers? If you had software
versions publicly accessible for download or access, I think you would have
much better results.

Another thing to be aware of is the time and resources dedicated to such a
program. If you have a company manage and triage your bugs it costs some $
for sure. If you want to manage and triage your own, then you are looking
at a lot of potential false positives and time. Either way you need to have
resources available to fix what is found in a timely manner. I have had
good luck personally with BugCrowd but Disclaimer2: is that I have a few
friends that work there. It may be worth a phone call to discuss with them
and see what their opinion is. Let me know if you need any contact info.

As for "good" cost effective appsec pentesting, that may be tricky but I
have worked with a few freelancers that were pretty good and not as
expensive as big firms. Availability is sometimes tough, but if you are
flexible and want some recommendations, just let me know.

Hope this helps.



On Mon, Mar 7, 2016 at 2:23 PM, William Scalf <wscalf at gmail.com> wrote:

> Not sure if this is the right place for this, but it seems as apt as any,
> so here goes:
> The company I work for is very small, and the security team is
> basically..me..and we're looking for a way to get more penetration testing
> in than I have time for. We've been looking at various automated tools for
> dynamic application scanning, but we keep running into a set of problems
> with them:
> * They have difficulty crawling our AJAX-heavy websites
> * They have difficulty understanding multi-step processes
> * They cannot identify business logic errors/missing access control
> measures
> With that in mind, we're considering some other options, like a bug bounty
> program. There are a number of crowdsourcing websites (like hackerone.com
> and bugcrowd.com) that have ready-made infrastructure for this purpose
> and handle a lot of the legwork for you. ..And, of course, the most
> exciting part is that you (theoretically) are only paying for confirmed
> flaws and not for all of the effort that gets thrown at finding them. On
> the surface, this *seems* like a good fit for us, but it's a relatively
> new thing and we have no experience with it.
> ..We also have a bit of a rub in that our web software isn't fundamentally
> public - it's mostly installed on-premises, and within the organization
> there's some concern over giving blanket access to potential competitors
> who could gain insights into what our product does and how it looks by
> participating in the bug bounty program. I think we can work around that,
> but it is a concern.
> So- do any of you folks have experience with a similar sort of program? Is
> there a particular platform you'd recommend? And are there any particular
> gotchas we should look out for as we explore our options?
> (Also- is there some obvious way to get some cost-effective penetration
> testing that we're just overlooking?)
> Thanks!
> _______________________________________________
> OWASP-Columbia mailing list
> OWASP-Columbia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-columbia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-columbia/attachments/20160307/1476cdd7/attachment.html>

More information about the OWASP-Columbia mailing list