The BBHQ Private Bug Bounty Team

The Bug Bounty HQ private team (BBHQ SRT) consists of 12 proven and trusted security researchers / bug hunters each having their own unique skill sets and approach to a security audit.  (A full list of the team and their credentials is available upon request.)



To summarize –





  • Signal-Noise ratio, 100:1




  • Proven security researchers / bug hunters




  • A team approach as opposed to 12 individual’s




  • Hand selected for their unique skill sets and approaches to a security audit




  • Ability to adhere to a more defined scope / rules




  • You get a $2million plus team extension to your existing security team (12 proven security researchers based on a minimum base salary of $167k per year)




  • Your only pay for results





Using the BBHQ SRT gives your internal application / product security teams the ability to focus on other projects while interacting with a small, very qualified team of external researchers. One of the biggest complaints of running a bug bounty program when handling security reports is the signal-to-noise ratio: the ratio of good actionable reports to reports that are incorrect, irrelevant, or incomplete.



The BBHQ SRT aims to achieve a signal-to-noise ratio of 100:1, which significantly exceeds the public ratios of popular public bug bounty programs.  For every 100 reports it is likely one will drop in that is incorrect, irrelevant or incomplete.



In other private bug bounty programs, researchers are randomly selected and limited to the researchers that are registered on that particular platform.  These invite-only / private programs employ a number of individual researchers ranging from a few to many working on an individual basis.  The BBHQ SRT has been hand selected based on their unique skill sets and approaches to security audits.



Using the BBHQ SRT, you are actually getting a team.  Whilst they do all work on an individual basis, the team communicates with each other over IRC, email and where necessary uses the Bug Bounty HQ platform collaboration reporting feature.



The BBHQ SRT also conforms to the OWASP Methodology for security audits.  As each member of the team believes they have covered a particular area, they mark off the relevant check which is reflected back into your own check list within your program settings.



Researcher Check List



 





 



Program Team OWASP Check List



 





 



Another advantage in using the BBHQ SRT is its manageability.  Being made of 12 professionals, the team is able to conform with unique scope / rule requests.




  • All testing can be made through a proxy server so that a single IP address can be added to firewall rule sets.

  • You may have time constraints on testing requiring that security auditing only be conducted during certain times.

  • Time and time again programs ask that researchers do not run scanners or automated tools against production servers.  As BBHQ SRT consists of skilled professionals, they have the ability to conduct a full manual audit of your application / product.



 



There are 2 ways in which you can invite the BBHQ SRT to your private bug bounty program




  1. Run your own program taking bug submissions via email directly to your own security team, or you could use Bug Bounty HQ’s Independent Platform which is installed on your own network.

  2. Use the Consultancy Platform on Bug Bounty HQ.  Sign up for Program Account - https://www.bugbountyhq.com/user/program/ and create your program.  When completed, select the Consultancy Platform





As your program is private and is only available to the BBHQ SRT, no one else will see your program.  Using this platform allows you to easily manage your bug bounty program and take advantage of the many built in features and payment / tax handling processes.



Add this $2million plus team to your existing in house security team and challenge them to uncover security vulnerabilities in your applications / networks / products.  Using the BBHQ SRT you truly receive a 100% return on investment only paying for qualifying reports as defined within your own scope.



For assistance in setting up your private bug bounty program using the consultancy platform or more information on the team please contact us here.