This is the second part from a 4 miniseries articles regarding Bug Bounty Programs. Previously we’ve talked about what BBPs are, what companies run such programs and how they can help your company. You can read first part HERE.
Today we’ll continue with:
Bug Bounty Program as a Service
As far as I know, such companies that provide “BBP as a Service” are HatForce, BugWolf, BugCrowd, CrowdSecurify and CrowdSec. If you know others, just tell me and I will complete the list.
If you’re a company that want to get a security test/assessment for your infrastructure, web application etc, they are willing to help with and more, they’ll provide you also with the security crowd specialists for your BBP.
They claim that will pay 100 Euros to the company if they can’t find any vulnerabilities. Of course they will find at least one info as long as Security will never be perfect.
They don’t say anything about their so called “security crowd” – how many infosec specialists they have and so on. However, the good thing is that if someone want to become a bug hunter, they will test their security skills to make sure that they have skilled people to test your server/framework.
What is not clear is the fact that they don’t have a price list/range and also don’t have a “How it Works”. You wont find out unless start to negotiate. A friend of mine did send an email asking for details, and it’s clear that in case you want to check your web/server security using the security crowd, you have to point them to the site/URL that should be tested, and after that they’ll get back to you with a personalized offer.
Is somehow new. They are a Start Up; like most companies in this niche.
If you want to become a bug hunter, you have to complete a form
where you must be agree with their “Terms and Conditions” except that there is no page with “Terms and Conditions” at this time when writing the article (February 1st 2013).
Unlike HatForce (remember that security testing skills?), they don’t say anything how they recruit their security professionals.
If you’re a company that want to have the system/framework tested, well then start sending emails to find out the workflow. They promise to help you with planning, lunching and hosting your BBP.
They don’t mention if it’ll be a blackbox testing or white/grey testing. As long as they say about the technology used for the testing application I suppose will be a white/grey test.
Like BugWolf, it looks like they are fresh in Bug Bounty Program as a Service niche. On the landing page there is little information and only a registration form if you want to “…learn more”. The site has no details whatsoever regarding how things works. However they do have a blog but you have to find the url for it as of February 2nd 2013 (yes, this article took me days to search, research and write) where, in a few words they try to explain how they will resolve such a sensitive problem like security assessment.
At this time there’s nothing crystal clear about how things go for security professionals and companies that want to improve their online security. It remains to be seen for future updates. If you don’t find their blog, you can access HERE.
Like CrowdSecurify, they are new in this BBP branch. Not much to say about. If you want to register, you’ll get a 404 Error.
Last but not least BugCrowd looks the most active lately in this BBP niche. They are also a Start Up and there is no surprise because Bug Bounty Program as a Service indeed looks like a new business.
Acording to their blog, things are as follows:
To get their security professionals, they carried a campaign called “Need more ninjas” with prizes: refer a security guy and you “can” win a $250 prepaid VISA card. No security skills tested for the crowd whatsoever. All you have to do, is to complete an application form HERE telling them whatever you want and they’ll approve it or not. They got (according with their blog) over 1200 bug hunters.
Reading their blog, as far as I can tell, if you are a company that wants to have their security tested, you have to expose your production server on a limited period of time or you have to prepare your own bug bounty arena. At least is what I can tell reading THIS article from their blog. If you’ll test through them it’s clear that you’ll won’t get e blackbox test whatsoever as long as you have to disclose a lot of information about your setup ( e.g “Let us know if you have any Web Application Firewall, Intrusion Prevention Systems or Content Delivery Systems protecting the system under test. “).
Moreover, so far they did disclose used technologies on every Bug Bounty Program they’ve run it until know. You can read HERE, HERE and HERE. So remember and keep that in mind that there will not be any BlackBox testing. Not to mention that they run bounty programs as assessment and not as penetration tests according with their blog.
Bug Bounty Program as a Service pros:
- As security professionals you’ll get the same advantages as in any BBP: Full Home Run — Money, personal branding and a continuous training of your skills.
- For companies this would be the best place where you can find a crowd of security professionals and use their knowledge to improve your online system/web application security.
Bug Bounty Program as a Service cons:
- Running BBPs for short period of time doesn’t leave to much room for good security assessment to find flaws and/or vulnerabilities.
- “Attacking” same target at once by thousand of InfoSec specialists, lead to broken framework/server unless there is a copy image for that framework/server for every InfoSec specialist.
- No full transparency. For example is very likely that the company that manage such program will negotiate a price for managing such program, lets say $ 10.000 and he will announce a $5.000 in total BBP for participants.
Risks for companies:
- The way “BBP as a Service” are running at this moment represent a huge risk for companies that want to use such services by exposing their identity to such large security crowd even if there would be (but usually is not) a signed NDA. We don’t talk about a few dozens we talk about over thousand. Among those good, world wide recognized security specialists, always is a risk to get a few bad intentioned people.
- One thing is to reveal a configuration covered by anonymity ( e.g. the entire framework/infrastructure replaced with dummy data –fake data + fake pics, fake logo etc) and a whole other thing is to reveal company’s identity for who is that specific BBP running.
Advice for companies:
- In case you want to run a BBP through a “BBP as a Service” provider, make sure that the BBP provider wont expose your real company name/identity to the crowd. After all InfoSec specialists are concerned with your infrastructure weaknesses and vulnerabilities rather than who’s behind.
- Try to find out how BBP as a Service providers recruit their bug hunters.
Conclusion on “Bug Bounty Program as a Service”:
Good idea, bad implementation. The way “BBPs as a Service” runs now, represent a big risk as long as BBPs provider expose the client’s real identity. Another big risk comes from those BBPs as a Service that don’t test their security crowd source.
Please remember that “Nothing is certain in life except death and taxes.“ And security is none of them.
Next time will talk about “Bug Bounty Program as a Platform”
Stay secure while having fun.
Follow Us on Twitter for more updates