Crowdsourced security testing company Bugcrowd launched a new program on Wednesday designed for organizations looking to run customized bug bounties.
According to Bugcrowd, the Flex Bounty enables organizations to work within their own budget and timeframe for low-risk and low-cost programs powered by a network of more than 9,500 security researchers.
Companies can use the base of researchers or rely on Bugcrowd's reputation system to select experts for a private program. On average, engagements run for two weeks, time in which Bugcrowd validates reports submitted by researchers. At the end of the period, the customer is provided a full report on the valid findings.
"The Flex Bounty program was developed to address a need for companies who want to integrate bug bounty programs into their existing security testing process or try bug bounty programs on a trial basis," noted Casey Ellis, CEO and co-founder of Bugcrowd.
"With the Flex program, companies can engage in timed, scalable bug bounty programs with a select group of Bugcrowd's top researchers. This allows companies to maximize their security ROI by fixing vulnerability costs while still leveraging the largest pool of security testers in the world to find security vulnerabilities before the bad guys do," Ellis added.
Bugcrowd also published a report that analyzes best practices and the economics of the 60 Flex Bounty programs conducted so far. The 2014 Flex Bounty Program Efficiency Report revealed that cross-site scripting (XSS) vulnerabilities have been the most common, accounting for 32% of all submissions.
Based on the number of submitted vulnerability reports ̶ 193 on average of which 45 valid and in-scope ̶ , Bugcrowd has determined that researchers spent an average of 163 man-hours on each program. The Flex Bounty program has several advantages compared to traditional penetration testing, including high coverage, a low level of effort for the customer, and medium costs per vulnerability, Bugcrowd said.