Crowdsourced security testing company Bugcrowd launched a new program on Wednesday designed for organizations looking to run customized bug bounties.
According to Bugcrowd, the Flex Bounty enables organizations to work within their own budget and timeframe for low-risk and low-cost programs powered by a network of more than 9,500 security researchers.
Companies can use the base of researchers or rely on Bugcrowd’s reputation system to select experts for a private program. On average, engagements run for two weeks, time in which Bugcrowd validates reports submitted by researchers. At the end of the period, the customer is provided a full report on the valid findings.
“The Flex Bounty program was developed to address a need for companies who want to integrate bug bounty programs into their existing security testing process or try bug bounty programs on a trial basis,” noted Casey Ellis, CEO and co-founder of Bugcrowd.
“With the Flex program, companies can engage in timed, scalable bug bounty programs with a select group of Bugcrowd’s top researchers. This allows companies to maximize their security ROI by fixing vulnerability costs while still leveraging the largest pool of security testers in the world to find security vulnerabilities before the bad guys do,” Ellis added.
Bugcrowd also published a report that analyzes best practices and the economics of the 60 Flex Bounty programs conducted so far. The 2014 Flex Bounty Program Efficiency Report revealed that cross-site scripting (XSS) vulnerabilities have been the most common, accounting for 32% of all submissions.
Based on the number of submitted vulnerability reports ̶ 193 on average of which 45 valid and in-scope ̶ , Bugcrowd has determined that researchers spent an average of 163 man-hours on each program. The Flex Bounty program has several advantages compared to traditional penetration testing, including high coverage, a low level of effort for the customer, and medium costs per vulnerability, Bugcrowd said.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
