Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Bugcrowd Launches New Security Testing Program

Crowdsourced security testing company Bugcrowd launched a new program on Wednesday designed for organizations looking to run customized bug bounties.

Crowdsourced security testing company Bugcrowd launched a new program on Wednesday designed for organizations looking to run customized bug bounties.

According to Bugcrowd, the Flex Bounty enables organizations to work within their own budget and timeframe for low-risk and low-cost programs powered by a network of more than 9,500 security researchers.  

Companies can use the base of researchers or rely on Bugcrowd’s reputation system to select experts for a private program. On average, engagements run for two weeks, time in which Bugcrowd validates reports submitted by researchers. At the end of the period, the customer is provided a full report on the valid findings.

“The Flex Bounty program was developed to address a need for companies who want to integrate bug bounty programs into their existing security testing process or try bug bounty programs on a trial basis,” noted Casey Ellis, CEO and co-founder of Bugcrowd.

“With the Flex program, companies can engage in timed, scalable bug bounty programs with a select group of Bugcrowd’s top researchers. This allows companies to maximize their security ROI by fixing vulnerability costs while still leveraging the largest pool of security testers in the world to find security vulnerabilities before the bad guys do,” Ellis added.

Bugcrowd also published a report that analyzes best practices and the economics of the 60 Flex Bounty programs conducted so far. The 2014 Flex Bounty Program Efficiency Report revealed that cross-site scripting (XSS) vulnerabilities have been the most common, accounting for 32% of all submissions.

Advertisement. Scroll to continue reading.

Based on the number of submitted vulnerability reports  ̶  193 on average of which 45 valid and in-scope  ̶ , Bugcrowd has determined that researchers spent an average of 163 man-hours on each program. The Flex Bounty program has several advantages compared to traditional penetration testing, including high coverage, a low level of effort for the customer, and medium costs per vulnerability, Bugcrowd said.          

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.