Dipping Your Toe In the Water

It’s a known fact that bug bounties are growing in popularity but there still remains the vast majority that are yet still to be convinced in their value and just as important, trust.  Many companies are simply not yet ready to invite “the world” to hack their systems.



Another big put off and probably one of the biggest complaints about bug bounties is the noise – signal ratio.  There are many statistics out there but as an average, for every 100 reports submitted around 15 are actually going to be “fix worthy”.  This is for a number of reasons –




  1. “Carpet Bombers” – in the race to be the first to report an issue, they will report absolutely anything.  They do not care about a reputation system.  They have the attitude “if you throw enough s**t at the wall, some of it will stick”.  So out of 100 reports they submit, a couple maybe reward worthy.  These are the researchers that ruin it for everyone. In fact Bug Bounty HQ has a system in place to ban these types of users

  2. Enthusiasm takes over and a researcher dives in without reading the defined scope of the program

  3. Reliance on scanners.  Even though just about every program states please do not run scans against our apps / servers or submit scan reports, unfortunately it happens, and happens a lot.



At Bug Bounty HQ we have designed a solution – The Consultancy Platform.  Whilst it is not a silver bullet, it does go a very long way in providing solutions to these problems.



Companies already trust some aspects of their security to trusted security partners whether this takes the form of training / internal network assessments or Pentests.  Bug Bounty HQ's Consultancy Platform is ONLY open to registered Consultancy firms on the Bug Bounty HQ platform. This goes a long way to breaking the trust barrier as NDA's etc will be signed with the consultancy companies.



In using this platform, you are actually not doing anything different that you already do.  There is one exception however, your ROI is 100%.  Consider it a performance paid pentest.



Currently, many security consultancy companies actually ban their consultants from participating in bug bounty programs.  Having co-founded two successful consultancy companies I completely understand this and this is mainly due in part, that the company does not receive any benefit / money.  As a result of this, bug bounties are missing core talent.



On Bug Bounty HQ’s consultancy platform, the firm is paid the financial rewards, not the consultant.  Whilst this may not seem fair, you have to remember they are on a salary already and as harsh as it may sound, they are there to make their company money.   Bug Bounty HQ however, recommends that consultancy companies offer some type of profit sharing based on financial awards made on a bug to the relevant consultant.  This helps to ensure a greater level of participation and motivation.



Each consultancy is also allocated admin accounts that have access to all their employees accounts registered on the platform so that they may see the quality of reports being submitted, current states of open issues, conversations with program owners, and of course the financial rewards made for each closed issue.



You are probably already aware that your sites are receiving intrusion attempts (maybe even successes). So a bug bounty could be considered as "normal" practice, with one difference, issues that are discovered will be reported to you.

This platform is a win / win for everyone concerned and more importantly becomes the first stage in bridging the gap between a bug bounty and traditional security audit.

For the Bug Bounty Program Owner

1) Professional IT Security Consultancy Companies auditing their applications

2) Employees have already been vetted by their employer

3) Many of these employees will have professional certifications

4) They can collaborate with other employees that they work with on findings

5) Access to a large professional tool set already paid for by the consulting company

6) Most of these employees will have gone through an extensive security background check

7) Expect reporting of vulnerabilities to be of a much higher standard.

8) NDA’s are signed with the companies not the employee as the employee would have already signed their company NDA

9) A company may be unsure of which consultancy firm to contract larger more sensitive engagements. Using this platform would act as a good yard stick by which to measure consultancies. Which consultancy firm is finding more bugs, the quality of their reports etc

For the Security Consulting Firm

At times a consulting firm may find their utilization rates take the roller coaster ride. This could be due to a number of reasons.  Seasonal holiday’s, where things may naturally quiet down, a large engagement has been postponed and as a result of this you have consultants sat around doing nothing.   Becoming part of this program, consultants are able to be billed based on their findings.

1) All payments are made directly to the company upon the issue being closed out

2) Utilization rates can always be at 100%. Consultancy firms employed these consultants on the basis that they were skilled.  Based on this, these consultants should find vulnerabilities in participating bug bounty programs which makes them billable

3) If a company has recruited trainees, this platform allows for hands on real world testing of deployed applications

4) By participating in these bug bounties, this may open doors to more work with new clients based on the quality of bugs and reports being submitted by the consultancy’s researchers.



So for all those "sitting on fence", I would suggest this is an excellent platform in which to begin your foray into a Bug Bounty Program.  If the program proves to be successful, maybe further down the line you may feel more comfortable to open it up to the global registered researcher community on Bug Bounty HQ.



For more information about this program or a bug bounty in general, please drop us a line