BugCrowd brings bounties to the masses

Two Australian security professionals have launched a managed service to make it easier to setup bug bounties.

Bugcrowd, run by Casey Ellis and Serg Belokamen, offers organisations of all sizes the ability to put their websites in front of a burgeoning community of security researchers for penetration testing.

The pre-fabricated bug bounty program was designed to be cheaper than many penetration tests and also cut the complexity involved in establishing in-house programs like those run by Google, Facebook, Paypal and Etsy.

It offers cash rewards to Bugcrowd researchers who find security vulnerabilities in companies that sign onto the program.

"The idea is to connect the global resource pool of security testers with the market through a software platform that enables crowd-sourcing," Ellis said.

"It appeals to enterprises who are serviced by pen-testers but don't know how to set up a bug bounty and at the other end, the smaller guys who have maybe 10 grand or less which is not enough for a test but works for a bounty.

"For many researchers, it's recreation, it's learning, it's fun, and we want to tap into that."

The cash rewards are set by the client and offered on a first come, first served basis with the most complex bugs receiving the top prize and other important vulnerabilities taking second and third spots.

Researchers also receive points or kudos for all valid submitted bugs. Clients will be able to opt to have their tests open only to researchers who have previously earned kudos.

It has over eight hundred testers on board and has run two successful bounties to date, including one for Ellis' Twitter application Twoodleloo, and another for not-for-profit outfit Looloo Paper. Another larger bounty is soon to be announced later this week.

About 80 testers entered the race for the Twoodleloo app even though the inaugural bounty was set low at $500 for demonstration purposes.

"That's say 80 testers putting in let's say only half an hour's work - that's forty hours' labour. Think about what that would cost."

Each test is run via Bugcrowd's servers to enable targeted companies to distinguish legitimate incursions from blackhat hacking.

The program promises to open up the amount of companies that are receptive to penetration tests and add bug bounties to those who already are.

At present, researchers who disclose vulnerabilities to companies outside of bug bounty programs or without first having explicit permission to run tests may be at risk of landing in legal trouble for unauthorised access.

Local penetration tester Patrick Webster was in 2011 served a legal notice, later dropped, by First State Superannuation, after as a customer he disclosed a direct object reference vulnerability to the company without having obtained authorisation.

The Bugcrowd founders received funding from local seed financing outfit Startmate and will in April travel to Silicon Valley to pitch the idea to the big names in the technology industry.

Ellis says Bugcrowd was different from existing vulnerability brokers like Hewlett Packard's Zero Day Initiative - which pays researchers for reporting bugs affecting any company - because it aims to create thorough, dedicated bounty programs.

Copyright © SC Magazine, Australia