[OWASP-Columbia] Bug bounties and crowdsourcing

Timothy De Block timothy.deblock at owasp.org
Tue Mar 8 02:23:46 UTC 2016

Sorry for the spam. Interneting is hard....

On Mon, Mar 7, 2016 at 3:43 PM, Frank Catucci <frank.catucci at owasp.org>

> My 2 cents.
> Bug Bounties, personally, I am usually a big fan. Bang for the buck for
> both parties/sides. Disclaimer1: I make a few bucks on the side. One thing
> I can say with platforms such as HackerOne and BugCrowd, is that the scope
> is defined by you, but really must be accessible. As you mentioned, this
> may be difficult in your case and I am not really familiar with a way to
> get around this or work a program with that kind of scope. Perhaps you
> could give a trial access somehow to researchers? If you had software
> versions publicly accessible for download or access, I think you would have
> much better results.
> Another thing to be aware of is the time and resources dedicated to such a
> program. If you have a company manage and triage your bugs it costs some $
> for sure. If you want to manage and triage your own, then you are looking
> at a lot of potential false positives and time. Either way you need to have
> resources available to fix what is found in a timely manner. I have had
> good luck personally with BugCrowd but Disclaimer2: is that I have a few
> friends that work there. It may be worth a phone call to discuss with them
> and see what their opinion is. Let me know if you need any contact info.
> As for "good" cost effective appsec pentesting, that may be tricky but I
> have worked with a few freelancers that were pretty good and not as
> expensive as big firms. Availability is sometimes tough, but if you are
> flexible and want some recommendations, just let me know.
> Hope this helps.
> Regards,
> Frank
> On Mon, Mar 7, 2016 at 2:23 PM, William Scalf <wscalf at gmail.com> wrote:
>> Not sure if this is the right place for this, but it seems as apt as any,
>> so here goes:
>> The company I work for is very small, and the security team is
>> basically..me..and we're looking for a way to get more penetration testing
>> in than I have time for. We've been looking at various automated tools for
>> dynamic application scanning, but we keep running into a set of problems
>> with them:
>> * They have difficulty crawling our AJAX-heavy websites
>> * They have difficulty understanding multi-step processes
>> * They cannot identify business logic errors/missing access control
>> measures
>> With that in mind, we're considering some other options, like a bug
>> bounty program. There are a number of crowdsourcing websites (like
>> hackerone.com and bugcrowd.com) that have ready-made infrastructure for
>> this purpose and handle a lot of the legwork for you. ..And, of course, the
>> most exciting part is that you (theoretically) are only paying for
>> confirmed flaws and not for all of the effort that gets thrown at finding
>> them. On the surface, this *seems* like a good fit for us, but it's a
>> relatively new thing and we have no experience with it.
>> ..We also have a bit of a rub in that our web software isn't
>> fundamentally public - it's mostly installed on-premises, and within the
>> organization there's some concern over giving blanket access to potential
>> competitors who could gain insights into what our product does and how it
>> looks by participating in the bug bounty program. I think we can work
>> around that, but it is a concern.
>> So- do any of you folks have experience with a similar sort of program?
>> Is there a particular platform you'd recommend? And are there any
>> particular gotchas we should look out for as we explore our options?
>> (Also- is there some obvious way to get some cost-effective penetration
>> testing that we're just overlooking?)
>> Thanks!
>> _______________________________________________
>> OWASP-Columbia mailing list
>> OWASP-Columbia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-columbia
> _______________________________________________
> OWASP-Columbia mailing list
> OWASP-Columbia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-columbia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-columbia/attachments/20160307/8c999e77/attachment-0001.html>

More information about the OWASP-Columbia mailing list