Flex Bounty Program. Efficiency Report

Similar documents
Screw Being A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter

Combating a new generation of cybercriminal with in-depth security monitoring

8 Strategies for 2008

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

What Do You Mean My Cloud Data Isn t Secure?

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Cloud App Security. Tiberio Molino Sales Engineer

Cisco Advanced Malware Protection for Endpoints

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Nine Network Considerations in the New HIPAA Landscape

Car Cybersecurity: What do the automakers really think? 2015 Survey of Automakers and Suppliers Conducted by Ponemon Institute

Application Security Testing Powered by HPE Fortify on Demand. Managed application security testing available on demand

WHITE PAPER. Managed Security. Five Reasons to Adopt a Managed Security Service

HI THIS IS URGENT PLZ FIX ASAP: Cri5cal Vulnerabili5es and Bug Bounty Programs

About the team of SUBASH SEO

USEFUL TERMS Crowdfunding getfunding.com.au Rewards Keep It All Campaigns All or Nothing Campaigns

MANAGED SECURITY SERVICES (MSS)

Advanced Persistent. From FUD to Facts. A Websense Brief By Patrick Murray, Senior Director of Product Management

MSP Relevance. MSP Relevance. the Era of Cloud Computing. the Era of Cloud Computing. Brought to You By: A Channel Company White White Paper Paper

Managing IT Security with Penetration Testing

Penetration Testing //Vulnerability Assessment //Remedy

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

MANAGED SECURITY SERVICES (MSS)

Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

INTRODUCING isheriff CLOUD SECURITY

Content Security: Protect Your Network with Five Must-Haves

THE TOP 4 CONTROLS.

Cisco Advanced Malware Protection. Ross Shehov Security Virtual Systems Engineer March 2016

The Value of Automated Penetration Testing White Paper

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

ensuring security the way how we do it

Unified Security Management and Open Threat Exchange

Cyber Security Management

The Massachusetts Open Cloud (MOC)

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

Best Practice for a Successful Talent Management Technology Implementation

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Cyber Security Evolved

HP WebInspect Tutorial

Advanced Threat Protection with Dell SecureWorks Security Services

On Demand Penetration Testing Applications Networks Compliance.

CHOOSE THE RIGHT ONE!

Testing the Security of your Applications

A strategic approach to fraud

Juniper Networks Secure

2016 OCR AUDIT E-BOOK

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Big Data Analytics for Every Organization

Table of Contents. Application Vulnerability Trends Report Introduction. 99% of Tested Applications Have Vulnerabilities

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Enterprise Release Management

G-Cloud IV Framework Service Definition Accenture Web Application Security Scanning as a Service

Your Guide To Crowdfunding With Superior Ideas

The Web AppSec How-to: The Defenders Toolbox

Buying vs. Building Business Analytics. A decision resource for technology and product teams

What is Penetration Testing?

THE THREE Es OF MODERN SECURITY FOR PHISHING

Application Security in the Software Development Lifecycle

Digital content is emerging as the newest strategic

Close the security gap with a unified approach. Detect, block and remediate risks faster with end-to-end visibility of the security cycle

IBM QRadar as a Service

The New World of Wealth Management: Structuring Your Business for Competitive Advantage

Myths of Digital Marketing

More successful businesses are built here. volusion.com 1

Enterprise-Grade Security from the Cloud

A Network Administrator s Guide to Web App Security

HP Application Security Center

CYBER SECURITY, A GROWING CIO PRIORITY

White Paper. Five Steps to Firewall Planning and Design

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

White paper Contents

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Transcription:

Flex Bounty Program Efficiency Report 2014

TOO MANY not enough time VULNERABILITIES When it comes to vulnerabilities, organizations face a problem of scale. Even as the vulnerability discovery and management market grows with a modest gain of about 9.4 percent per year since 2012 1 the amount of money to test for new and existing vulnerabilities is hardly skyrocketing. Meanwhile, Web-based malware attacks more than doubled in the second half of 2013, the global cost of cybercrime exceeded $400 billion in 2013 and there s no sign of that pressure letting up. 2 As the number of applications that enterprises depend on to service customers and satisfy end users continues to increase, so does the number of vulnerabilities in their growing code base. While traditional penetration testing and automated scanning have provided enterprises with some level of success in reducing vulnerabilities, it s clear that these traditional means of discovery are leaving gaps behind. Clearly, the bad guys are finding vulnerabilities faster than enterprises can. One look at the data breach statistics bears that out: The number of breached records increased by 233 percent between the first quarter of 2014 compared with the same period in 2013. 3 Writing secure software is never easy. While developers must worry about securing every vulnerability in their code, malicious hackers have to find only one weakness to exploit. Not only that, but security researchers are hard to find and hire. At the same time, the number and sophistication of malicious hackers probing software for weaknesses continue to grow. So while security teams are limited by the scope of time, money, and sets of eyes looking for vulnerabilities, the bad guys seem to have limitless resources.

the power CROWDS of Organizations seeking an efficient way to find vulnerabilities more quickly than the traditional penetration testing route are making inroads through the principle of crowdsourcing. In the bug-finding world, the power of crowdsourcing is harnessed through bug bounties. The idea behind these bounties is simple to offer cash incentives and public kudos to members of a large but skilled pool of security research freelancers and moonlighters willing to look for them. Rather than paying by the hour for a testing consultant, organizations pay per issue discovered. Crowdsourced security is not a new idea. Global companies, such as Google, Facebook and PayPal, have been very public about their use of bounty programs to find critical vulnerabilities that may have either gone unfound or cost many hours of consulting time to discover through the traditional route. These high-powered names are a testament to the power of crowdsourced vulnerability discovery. But programs like theirs are difficult to set up and costly to run in-house. However, it s a myth that only huge companies with mature bounty programs can get value from crowdsourcing. This report offers the data to prove it. STATISTICAL HIGH POINTS OF A FLEX BOUNTY PROGRAM 193 Average number of submissions per Flex Bounty 45 Average number of valid submissions per Flex Bounty $256 Average cost per bug 163 Estimated man-hours per bounty Duplicate bugs (1 hr avg.) Ignored bugs (30 min avg.) 87 54 6 45 Invalid bugs (30 min avg.) Valid bugs (1 hr avg.)

FLEX BOUNTIES for rapid crowdsourcing Over the past year-and-a-half, Bugcrowd broke the mold of the typical bug bounty infrastructure set-up for more precise and efficient vulnerability discovery crowdsourcing. Through trial and error with various enterprise clients, its team devised a new way to divvy up the bug bounty action into bite-sized chunks. The result was formalized into Bugcrowd s unique Flex Bounty Program, a fixed-cost, two-week crowdsourcing engagement that can be instantly started and still taps into the skills of the research community the way an on-going bounty program does. Along the way, Bugcrowd has studied the effects of its Flex Bounty Program and now has demonstrable data that shows how even in small pieces crowdsourced vulnerability assessments can tip the economic scales from favoring attackers to favoring those who are trying to defend themselves from attacks against previously unknown vulnerabilities. This is early research, so data collection practices are still being refined. While Bugcrowd has anecdotal stories and insights from 60 Flex Bounty Program engagements, it has collected truly robust data sets for only about onethird of them. The data outlined from this report is based on the company s nine most complete case studies.

how Flex Bounty Programs WORK $11,614 Average Flex Bounty Program reward pool Since 2013, Bugcrowd has conducted 60 fixed-time frame, fixed-scope and fixed-budget testing engagements for customers. These programs were designed to act as a gateway for an enterprise to initiate an ongoing responsible disclosure or bug bounty program, or to be used to strategically supplement existing security vulnerability testing programs. Security researchers who sign up at Bugcrowd.com are provided visibility to public bounty programs. Upon agreeing to the Bugcrowd Terms of Service and each bounty program s testing scope, researchers may then participate in helping discover vulnerabilities for that organization. Private programs are only visible to researchers who meet those program requirements. FIXED TIME FRAME: A typical Flex Bounty Program engagement is two weeks. FIXED PRICE: A Flex Bounty Program customer allocates a predetermined amount into a reward pool, which is then offered to Bugcrowd researchers. The pool is divided and allocated to unique vulnerabilities; the cost to the customer remains fixed, regardless of the number of issues uncovered. Bugcrowd takes a percentage of the reward pool offered as its management fee. RAPID DEPLOY: The sun is always shining somewhere for Bugcrowd s global pool of security researchers, which means our Flex Bounty Program can be deployed immediately. INCREASED CROWD VISIBILITY: Standard Flex bounties are public to all researchers, which provides the most comprehensive testing coverage. However, some companies have chosen to participate in a closed Flex Bounty Program, which is open only to a select segment of the crowd (e.g., our top 100 security researchers). For even greater control, researcher traffic can be routed through Bugcrowd s infrastructure as well.

UNDERSTANDING THE QUALITY OF CROWDSOURCED DATA One of the major concerns many organizations have about bug bounties is that while the quantity of results provided may eclipse a traditional test s volume, the quality of vulnerabilities might not be as strong. Bugcrowd s data suggests otherwise: The bug bounty incentive structure actually rewards reseachers based on the severity of problem detected or creativity of tactics employed. Combined, these incentives prompt the crowd s competitive urge, resulting in some pretty impressive finds. 45 60 87 REWARDED VULNERABILITY INFORMATION 23% Submitted bugs validated and rewarded 77% Submitted bugs invalid or duplicate Types of bugs submitted 1% Clickjack 8% CSRF 32% XSS 1% SQLI 6% Mobile Device 1% Mobile Net Valid submissions per Flex Bounty (avg) Invalid/ignored submissions per Flex Bounty (avg) Duplicate submissions per Flex Bounty (avg)

HOW GOOD are the results? on valid volume of bugs found, reveal both the breadth and depth in CLOUD PROVIDER EXAMINATION: In one capture-the-flag bounty competition involving applications tested for a cloud platform developer, a researcher compromised the platform s Windows host within 12 hours. Another found remote code execution giving full SYSTEM access to approximately 15 percent of the provider s client s hosts. CMS ZERO-DAY DISCOVERIES: One Flex Bounty Program conducted for a customer yielded six critical zero-day vulnerabilities on a public content management system (CMS) platform. TOTAL IAAS COMPROMISE: A Flex Bounty Program run for an infrastructure-as-a-service (IaaS) provider attracted a researcher who was able to find and exploit vulnerabilities that achieved a total platform compromise within 25 minutes and a shell on the underlying box within 90 minutes. WHERE RESEARCHERS RESIDE TOP GEOGRAPHIES Another myth about bug bounty programs is that a pool of crowdsourced researchers could comprise unqualified workers from less technically mature parts of the world. Again, Bugcrowd s research suggests otherwise, both in geography and level of expertise: UNITED STATES INDIA UNITED KINGDOM AUSTRALIA NETHERLANDS GERMANY

how researchers are REWARDED Flex Bounty Program Traditional penetration test Each unique vulnerability is rewarded at the end of the Flex Bounty Program. The top three most severe and creative issues are selected and rewarded a placed reward. The remaining bugs are rewarded an unplaced reward. If there are more bugs found than there is money in the reward pool, the unplaced reward tier is diluted to ensure that all researchers in that tier are compensated. Conversely, if the pool isn t fully allocated, the leftovers are carried forward to the next time the company runs a Flex Bounty Program (which is where a direct cost saving for better code security practices starts to kick in). RESEARCHERS PER TEST: PRICING MODEL: by-the-bug Sliding scale based on severity of bug found AVERAGE TOTAL PRICE: $11,614 Average prize pool per Flex Bounty Program by-the-hour no add l monetary incentive for volume or severity of bugs found $12,000- $20,000 Typical 2-week penetration test consulting engagement (estimate) REWARD POOL BREAKDOWN (BASED ON $10,000 REWARD POOL): 1ST $2,500 2ND $1,500 3RD $500 UNPLACED $250 ea. whichever is lower

CASE STUDIES IN FINDING RESULTS FAST 90 MINUTES TO QUALITY RESULTS CASE STUDIES IN FINDING RESULTS FAST 24-HOUR VULNERABILITY TEST In one instance, Bugcrowd helped a mobile application development startup test its application prior to launch via a Flex Bounty Program. Within 90 minutes of the bounty s start, security researchers were able to compromise the application infrastructure through some of the following vulnerabilities: access control. tester contacted Bugcrowd via the escalation process. Many of the findings of this test involved identification of privacy settings problems that couldn t be easily identified by automated scanning techniques. but not quite enough for one of Bugcrowd s customers. Due to very short change windows in its needed vulnerability test results and flexibility of rapid deployment Program made that turnaround that customer managed to fit 80 man-hours of work into 24 hours of actual time.

top Flex Bounty Program benefit: EFFICIENCY Price points are only part of the economic picture the true measure of returns offered by two-week bounty engagements is their efficiency. Bug bounties enable enterprises to put more security researchers on the hunt for vulnerabilities more quickly than traditional penetration testing engagements. Bugcrowd s early work with the Flex Bounty Program has shown that it is possible to take advantage of crowdsourced security without requiring the infrastructure of a fully mature bounty program. Similarly, if you already have a program in place but need to quickly spin up resources, Bugcrowd s Flex Bounty Program offer an option beyond traditional security consulting. A multinational and diverse pool of researchers offers far more availability than a homogenized team from a typical consulting firm, no matter how big the company. This makes for a faster start and finish to testing.

Bugcrowd, the innovator in crowdsourced security testing for the enterprise, was founded in 2012 by a team of security and software development experts who saw the opportunity to level the playing field in cybersecurity. Bugcrowd s revolutionary approach to cybersecurity combines a proprietary vulnerability reporting platform with the largest community of security researchers on the planet. Bugcrowd offers Responsible Disclosure and Bug Bounty programs in addition to the new Flex Bounty Program (a limited time, fixed-cost introduction to the benefits of crowdsourcing). Bugcrowd has run over 80 bounties with over 9,500 researchers who have submitted over 13,700 bug reports to-date. GET IN TOUCH WITH BUGCROWD: Flex Bounty programs, click here Bugcrowd blog press@bugcrowd.com SOURCES: 1 www.technavio.com/report/global-security-and-vulnerability-management-market-2012-2016 2 www.computerweekly.com/news/2240215548/web-based-attacks-double-in-2013-study-finds 3 www.insideprivacy.com/united-states/data-breaches-on-the-rise-in-2014/ 4 548 Market Street #97440 San Francisco, CA 94104 (650) 260-8443 www.bugcrowd.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information