In the ever-evolving landscape of cybersecurity threats, including emerging AI threats, organizations and individuals alike need to stay one step ahead. With a plethora of options available, choosing the right crowdsourced cybersecurity engagement for your specific needs can be a daunting task. In this blog post , Bugcrowd Security Solutions Architect (SA) and hacker, Rami (drunkrhin0), breaks down four prominent and successful Bugcrowd crowdsourced cybersecurity engagement types—Managed Bug Bounty, Penetration Testing, Vulnerability Disclosure, and Attack Surface Management.
Hey 👋 My name is Rami (not Rami Malek). I was hired from the crowd and now work to improve the crowdsource security experience, often working behind the scenes. I’ve always had a laser focus on community and continuous improvement from my experience as a professional photographer, pentester, hacker success manager, and everything in between. My unique perspective and determination from my various career paths led me to understand various needs and communicate them to the right people in the right way. Now a part of the Customer Success team, I hope this blog post helps you find the highest value engagement(s) for your organization’s needs.
Factors to consider before deciding on your engagement type
- Scope: First, you must determine the size and complexity of your digital assets and their potential vulnerabilities. This assessment will help you identify which engagement aligns best with your requirements.
- Budget: Different engagements come with varying costs. Consider your organization’s financial capabilities and evaluate the potential return on investment in terms of enhanced security.
- In-house vs. outsourced: Determine whether you have the internal expertise to handle the chosen engagement or if you need to collaborate with external cybersecurity experts.
- Regulatory compliance: Ensure that the chosen engagement complies with any industry-specific or legal requirements your organization must adhere to.
- Risk tolerance: Assess your organization’s risk tolerance and how much you are willing to invest in proactive cybersecurity measures.
1. Managed bug bounty engagements (MBB):
Managed Bug Bounty engagements incentivize independent hackers to discover and report security vulnerabilities in an organization’s digital assets. Customers then set a tiered reward structure based on the severity and impact of the vulnerability identified in accordance with the Bugcrowd Vulnerability Rating Taxonomy. Once a vulnerability has been submitted by a hacker the Bugcrowd Security Operations team will triage, reproduce and assess the vulnerability. This process eliminates the signal to noise ratio ensuring you’re notified of new and unique findings. Bugcrowd offers MBBs in multiple flavors to meet your specific needs:
- Time-based:
- Ongoing engagements
- On-Demand engagements
- Visibility:
- Public engagements
- Private engagements
Ongoing vs on-demand bug bounty engagements
Ongoing MBBs allow hackers to engage with the customer environment over an extended period of time. Ongoing MBBs allow hackers to deliver high impact vulnerabilities over time, which may otherwise not be found through traditional testing methods such as penetration testing Ongoing MBBs provide time and space for hackers and customers to build rapport and establish a level of trust. It’s not uncommon for hackers with strong rapport to exclusively hack on a single engagement/customer as a result of this. I like to call them ‘anchor hackers.’ Some anchor hackers have even been offered full-time jobs!
The benefits of running an ongoing MBB include:
- Impactful and ongoing testing
- Integrates into your long-term security posture
- Provides an ongoing level of assurance external from your security team
- Introduces new hackers over time
On-demand engagements offer two primary differentiators from ongoing programs. Their timeboxed nature provides a highly competitive and rewarding environment for hackers. They may be used to compliment ongoing engagements or to differentiate from them.
The benefits of running an on-demand MBB include:
- Time bound approach: On-demand engagements offer 2 or 4 week timeboxes, providing hackers with a highly competitive environment with increased rewards and unique scope.
- Set reward pool: Using a fixed reward pool ensures customers don’t go over-budget while ensuring hackers are appropriately compensated for their expertise. Customers typically use on-demand engagements as a first step towards the crowdsourced security space, or where they may have flexible spending that may not allow for an ongoing engagement just yet.
- Targeted scope: The highly competitive nature of on-demand engagements allow smaller groups of hackers to target areas with great concern. Successful on-demand engagements are often used to test new features, business-critical systems, and used as a warm up prior to releasing the assets to an existing on-going program.
- Pen testing use cases: They are increasingly used in pen testing use cases as well; in fact, we have customers who have completely replaced traditional pen tests with them.
Public vs private bug bounty engagements
There are two visibility options for MBB engagements, public and private.
Public bug bounty engagements are open to everyone. They’re often a best fit for large organizations with a security team equipped or even dedicated to hosting a bug bounty engagement. Your organization is most likely already quite secure and braced for attacks.
Benefits of public engagements:
- Largest form of exposure
- Largest talent pool available
- Community engagement
- Showcases strong security posture
Considerations before launching a public engagement:
- Requires skilled team to manage
- Significant exposure
- Increased noise
Invite only (or private) engagements are highly sought after due to their scarce nature. Hackers often look for large scope, high rewards, and low competition in private invites. The scarce nature leads to highly motivated hackers with more potential opportunity to identify vulnerabilities and gain rewards. Participation requires an invitation by Bugcrowd or your organization. The scope, rules, and rewards are shared with the invited hackers, but not with the general public.
Benefits of private engagements:
- Controlled testing
- Increased confidentiality
- Competitive activity
- Tailored to your needs as an organization
- Segregates different stakeholders and entities
- Introduces crowdsource security in a safer manner in your organization.
Considerations before launching a private engagement:
- Increased crowd management
- Additional effort to manage compared to public programs
Overall, managed bug bounty engagements are a great fit for small and large organizations across the globe. If one of the following applies to your organization, managed bug bounty engagements may be right for you:
- You have a large-scale attack surface
- You want to tap into the collective power of a global security community to find diverse and hidden vulnerabilities
- Your organization is able to offer financial rewards to ethical hackers for their discoveries
2. Vulnerability Disclosure Program (VDP):
Vulnerability Disclosure Programs (VDPs) are a “see something, say something” model, offering a public space to safely submit and disclose vulnerabilities to an organization.
Unlike MBBs, they focus on encouraging responsible individuals to disclose security vulnerabilities directly to the organization with Safe Harbor. While most organizations welcome this information and behavior, the lack of a defined channel or process can carry risk, often disincentivizing people to report vulnerabilities. VDPs offer a comprehensive range of submission channels, triage, integration, and reporting capabilities.
When to choose a VDP:
- Your organization is ready to take their first step towards crowdsourced security
- You value transparency and open communication with hackers
- Regulatory/government mandates may require you to have one
- You want to promote responsible disclosure within the security community
- Your organization is ready to acknowledge and address security issues promptly
3. Penetration testing:
Penetration testing is a controlled and simulated cyberattack on a system, network, or application to identify weaknesses that could be exploited by malicious actors. Unlike bug bounty engagements, our crowd powered Pen Testing as a Service (PTaaS) is carried out by a large vetted pool of skilled hackers from the crowd. They simulate real-world attacks to assess vulnerabilities and provide a detailed report of their findings offering expertise unmatched by traditional pentesting services. According to your testing requirements, our specialized team and our agile processing can yield results in a matter of days. Throughout the testing phase, you will use the Bugcrowd Platform to gain access to real-time, prioritized findings, facilitating prompt remediation actions.
It’s common to see organizations pair their pentests with a bug bounty engagement to maximize risk reduction.
When to choose penetration testing:
- Pay-for-effort in a time bound approach
- Leverage hackers with specialist skillsets and experience.
- Governance risk and compliance requirements
- Risk posture requires testing to be performed in a specific manner
4. Attack surface management
Bugcrowd’s Attack Surface Management (ASM) goes beyond traditional vulnerability assessments. Most hackers will tell you reconnaissance (recon) is arguably the most important step in the hacking process. Sw33tlie emphasizes recon over time in this blog post. Levering the power of the crowd, ASM combines technology, data, and hacker ingenuity to discover all digital assets (even the hidden ones) within an organization’s ecosystem. By identifying rogue assets, it helps your organization evaluate risk, inventory known assets, and prioritize remediation efforts. It offers a comprehensive approach to managing an organization’s attack surface continuously.
When to choose attack surface management:
- You want a holistic view of your organization’s cybersecurity posture, including forgotten, rogue, or unknown assets.
- You want to discover assets, not exploit them.
- You have a rapidly evolving organization with a complex attack surface to manage.
- You need a solution to help you continuously discover, prioritize, and mitigate risks associated with your assets.
The world of crowdsourced security can be confusing, but by carefully evaluating the options and understanding your organization’s specific needs and priorities, you can make an informed decision that aligns perfectly with your cybersecurity goals.
Thanks for taking the time to read my blog post. If you’re still hungry for more, you can learn about the role of our TCSM team in continuing your success with crowdsourced security, written by my good friend Elle.
You can find me on Twitter, and LinkedIn. I’d love to hear from you!