IT Security Company Client Solutions
It is an accepted fact that bug bounty programs are growing not just in popularity but are also being seen as a valuable addition to an existing S-SDLC and it is possible that many of your clients may be considering such a program.
As a trusted security provider / advisor, you are best positioned to advise and manage a bug bounty program for them. Bug Bounty HQ offers a number of solutions to help fulfil you and your client’s requirements
White Labeled Consultancy Independent Bug Bounty Platform.
Bug Bounty HQ offers a hybrid version of our platform. It is software package installed on your own network and branded with your own corporate logo and information.
All the features of Bug Bounty HQ are included and all your client programs are entirely managed by you. This would also include receiving all the bug reward payments as well as making payments to the security researchers for their bug bounties.
What makes this platform unique, is that it remains “chained” to https://www.bugbountyhq.com/ This helps keep the Bug Bounty HQ researcher community informed about new programs being launched and where to sign up, actions that have taken place on other programs (rewards etc). This chained method allows instant access to all the registered Bug Bounty HQ researchers
When a user signs up on BugBountyHQ.com they are allocated a Unique User ID which takes the form of a randomly generated GUID. When the researcher signs up on your own white labeled bug bounty platform, they can enter their UUID within their profile ensuring that all activities and points are reflected on BugBountyHQ.com.
Your platform makes an API call to bugbountyhq.com along with the UUID every 10 minutes sending any real time updates (financial rewards made, points awarded, changes to the clients program, client program blogs, client CTF challenges etc) to be reflected on the RTU.
For example, if your client has just fixed a bug submitted by researcher Joe and rewarded him $1000.00 (10 points) and 8 points for its priority classification and 8 points for the report, these are added to Joes totals on Bug Bounty HQ and the activity of the reward is reported in recent activities.
The points system to many researchers can be very important and is a big driving factor in the participation and success of some programs.
This model allows–
- You to run an independent bug bounty platform for your clients
- Your company to remain an integral part of their security solutions
- The platform is already built and can be branded by with all the necessary company logo’s / information
- Access to an instant researcher pool
- Greater exposure as program is also listed on bugbountyhq.com
- Greater participation as any points awarded on your platform also replicates to BugBountyHQ.com
- Benefit from the various incentive programs ran by Bug Bounty HQ. Simple examples would include monthly / quarterly / annual competitions paid for by Bug Bounty HQ.
The standard “handling fee” you would receive per bug payment is 20%.
On a $10,000 bug bounty award, your client pays $12,000. $10,000 is sent to the researcher and you retain the remaining $2,000
However, as you are their trusted security partner, there are numerous ways in which you can further monetize the value of a bug.
Built within the system is a “managed service” option. The managed service is where your consultants assist with the verification of bug submissions by researchers. In a bug bounty program, this is actually where all the real work takes place and at times can be very daunting to someone running a bug bounty program.
If your client selects this option, all bug payments are billed with a 25% handling fee. So in the example we gave above, you would retain $2,500 for that particular resolved vulnerability.
This managed service could be considered a financial risk or potentially may offer great rewards. If the quality of the bug submissions is low, you may find your consultants closing out a lot of issues that are simply out of scope, spam, duplicates or not fix worthy. In these cases, no additional money is made. However, if the quality of the bug submissions is high, at a 25% handling fee, you could stand to make a good deal of money
Alternatively, rather than use the managed service option, you could negotiate with your client to have one or two consultants to work full time on their bug bounty program for its duration therefore guaranteeing a specific bill rate.
Other possible means to monetize a bug based on your own company’s service offerings –
- Secure coding training / service
- Security training
- Own consultants participating in the bug bounty program itself.
Initial one-time fee for platform $995.00
Bug Bounty HQ charge $495.00 per client program launch
This is followed by a $195.00 per month, per running client program until terminated / suspended by your client.
Why So Cheap
Unlike other platforms, Bug Bounty HQ is more researcher centric. We want to offer as many quality programs as possible to our global researcher community whilst also giving them the ability to centralize their “points”. By using this platform, you are automatically promoting your clients program to bugbountyhq.com as notifications are sent to the RTU where currently there are over 1000 registered security researchers.
You may only have a single client that would interested in running a bug bounty program, but would still like your involvement in their program, or, you may simply not wish to handle all the payment side of things.
Rather than running your own platform, Bug Bounty HQ can either host your clients programs on our server or they could chose the Independent Platform as described on the home page
If hosted on Bug Bounty HQ as a result of your recommendation, 50% of all bug commissions awarded by your client to the researchers will be paid to you on a monthly basis for the duration of the program.
Of course, you would still have the ability to further monetize a bug by providing direct consultancy services to assist with vulnerability verifications and further security training.