Products
PTaaS, Bug Bounty
Industry
FinTech
-
Challenges
As their organization grew, Rapyd wanted to step up their security posture by making security testing continuous. They have an interesting use case for crowdsourced security, since their core business is so API-focused. A thorough discovery of vulnerabilities in APIs requires specialized knowledge, skills, and experience.
Rapyd also needed help with security assessments during mergers and acquisitions, such as when creating asset inventories and understanding the attack surface risk involved.
-
Solution
About a year ago, Rapyd decided to turn to Bugcrowd to take their crowdsourced security programs to the next level. They started leveraging Penetration Testing as a Service and a private Bug Bounty program. The goal was to eventually launch a public program, which Rapyd did in six months.
About Rapyd
Rapyd is a cutting-edge FinTech leader focused on helping businesses create great commerce experiences anywhere. They develop technology designed to remove the back-end complexities of cross-border commerce while providing local payment expertise. For about four years, Rapyd used crowdsourced security in various forms, including adopting HackerOne Bug Bounty. They also routinely performed traditional penetration testing.
The Challenge
As their organization grew, Rapyd wanted to step up their security posture by making security testing continuous. They have an interesting use case for crowdsourced security, since their core business is so API-focused. A thorough discovery of vulnerabilities in APIs requires specialized knowledge, skills, and experience. Rapyd also needed help with security assessments during mergers and acquisitions, such as when creating asset inventories and understanding the attack surface risk involved.
The Bugcrowd Solution
About a year ago, Rapyd decided to turn to Bugcrowd to take their crowdsourced security programs to the next level. They started leveraging Penetration Testing as a Service and a private Bug Bounty program. The goal was to eventually launch a public program, which Rapyd did in six months.
We quickly felt safe to take our program public with Bugcrowd. We value the way Bugcrowd finds the right hackers with the right expertise for our programs.
The Outcomes
Rapyd is experiencing outstanding results with Bugcrowd. In this year alone, 15 critical vulnerabilities and almost 40 total vulnerabilities have been discovered. A key factor in taking their program public was preparing the right process. Rapyd wanted to be sure they had the right roadmap in place before launching, which they worked with Bugcrowd to build. The Rapyd team are currently working on integrating their bug bounty program with their SDLC and product security flow to allow for sustainable growth.
One reason for Rapyd’s success is how involved their team is. Their entire security team participates in the strategy and operations of their program with Bugcrowd. Their teamwork is also reflected in the success of the program. They’ve built workflows in Jira and Slack for tracking program findings and routing to the appropriate stakeholders. These integrations were key benefits for the team.
This dedication to the success of the program can be seen in Rapyd’s commitment to quickly remediating vulnerabilities. Rapyd’s average time-to-fix submissions is 18 days across all severity levels. The industry average is 31 days to fix, so it is clear that Rapyd’s security program is truly excelling in partnership with Bugcrowd.
Rapyd chose Bugcrowd in part because of the unique way Bugcrowd selects specialized hackers for engagements. Since their needs were very specific (for example, for API testing), they needed to connect with the right group of hackers with skill sets that matched their use case. “Bugcrowd accommodates both hackers and organizations. By picking the right hackers for specific programs, it keeps researchers engaged,” said Achiad Avivi, Applications Security, at Rapyd. Bugcrowd’s CrowdMatch technology, which enables precise crowd matching, allows organizations to connect with the right hackers at the right time, which was perfect for Rapyd’s needs.
Rapyd’s success can be considered impressive under any circumstance, and it’s important to note that they were achieving these amazing results all while undergoing a time of major growth and multiple acquisitions. By leveraging security testing through Bugcrowd during major acquisitions, they were able to understand a previously unknown attack surface.
“Bugcrowd is a win–win situation for hackers looking to make an impact on internet security while making money and for companies looking to improve their security by finding these security issues before they become bigger problems,” said Achiad Avivi.
Subscribe for updates
Read more customer case studies
A bug bounty is a monetary reward for security researchers who find legitimate security flaws in software. Payments are allocated for each vulnerability found, depending upon various factors including risk, impact, and exploitability of the vulnerability.
HP
Printers, arguably the most common IoT devices on the market, touch and store some of the most sensitive data and...
Read MoreGet Started with Bugcrowd
A bug bounty is a monetary reward for security researchers who find legitimate security flaws in software. Payments are allocated for each vulnerability found, depending upon various factors including risk, impact, and exploitability of the vulnerability.