IMPACT - The Pre-Cursor Bug Bounty Program

Bug Bounty HQ, is pleased to announce the launch of IMPACT.  



IMPACT, is a crowd sourced pentest (bug bounty), provided by registered security researchers of Bug Bounty HQ testing an application / product, being limited to a duration of 24 - 72 hours.



Upon launching a new bug bounty program, your applications, domains or products will experience a tsunami of researchers.  In the first 24 - 72 hours, your program will receive more bug submissions than at any other time throughout its duration.



The benefits to IMPACT are numerous and could be used as a pre-cursor to launching a full open bug bounty to the researcher community by allowing




  • test in-house security response teams

  • test in-house vulnerability management processes

  • test in-house intrusion prevention / detection products and teams

  • hands on experience of a bug bounty program

  • identify the types of issues being reported – if many instances of an issue have been reported within the 24/48 hr period, for example XSS, this would suggest going through the code for similar instances and patching them prior to launching your full program.  This could represent significant savings on bug bounty payments.



 



Other possible uses for IMPACT could include –




  • Quickly identify the current security posture of your product / application allowing further determinations to be made internally about additional security requirements

  • You may have pushed a significant amount of new code to an application, have it quickly audited with IMPACT

  • More often than not, the “business” will override security departments insisting on a new app / site to be launched in a matter of weeks / days bypassing the normal in-house S-SDLC requirements.  The IMPACT program can be an extremely useful tool in these circumstances where you can launch a program in a matter of minutes.

  • Finally, when in doubt, run IMPACT.  Your security questions will be answered extremely quickly



 



How it works



It should be pointed out that Bug Bounty HQ will only run three concurrent IMPACT programs on any given date.  This is to ensure maximum exposure and the researcher talent is not diluted with too many IMPACT programs running at once.



First you create your program with all the necessary information detailed for the researchers to ensure they understand your rules and scope.



When setting the reward matrix, Bug Bounty HQ suggests the following minimum values to ensure high exposure over the 24/48 hr period.  These are merely guidelines, but the better the bounty, the more researchers will participate and will also attract the attention of the more skilled hunters.







Choose your time period of 24 / 48 / 72 hours, start date and start time.



Once verified, you will be taken to the payment page for a $495.00 initial launch fee.



Upon completion of your IMPACT program should you wish at a later date to relaunch your program as a full open bug bounty there are no further charges.



Upon completion of payment, emails are sent to all researchers of Bug Bounty HQ informing them of your impending IMPACT program.  The only information contained will be your reward matrix, start time and date and a link for the researcher to add your IMPACT program to their “My Programs”.



An entry is also made to the RTU (real time update) stating a new IMPACT program is set to launch on your pre-determined time and date.   Your IMPACT program also shows up in the publically viewable IMPACT Calendar.



30 minutes prior to the launch of the IMPACT program, all those researchers who added your program to their “My Programs” will receive an email reminder.



Also, another entry to the RTU is made stating your IMPACT program will begin in 30 minutes.



Finally, get your teams together, order in the pizza and brace for IMPACT.