A Bug Bounty Program is another security measure for your organization with the goal of identifying vulnerabilities before they are exploited. The program allows you to take advantage of the know-how and inventiveness of a community of security experts. The community is invited to analyze a predefined area of your company for vulnerabilities. The discoverer of a vulnerability receives a reward that depends on the criticality of the vulnerability found.
Is a Bug Bounty Program an option for you?
Read our expert interview with Stefan Schmer, Managing Consultant usd HeroLab
Bug bounty platforms
A provider of Bug Bounty platforms provides the expertise of the connected community of security experts. The rules are clearly defined and vulnerability reports are only exchanged via the platform. Bug Bounty programs can also be implemented independently from platforms and without using a central platform. Communication and coordination with the security experts is carried out by the company itself.
How we support you
In order for the Bug Bounty Program to be effective and free of unnecessary restrictions, it must be tailored to the needs of the company and take organizational structures into account. As a full service provider we can assist you in, for example:
• Determining the assessment scope
• Communicating with the community of security experts
• Sighting, review and prioritization of incoming vulnerability reports
• Support in correcting identified vulnerabilities
How we proceed
Our approach is individually tailored to your needs and adapted to the project phase. The procedure below can be regarded as exemplary.
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
During the kick-off meeting, we discuss with you the initial situation and your objectives as well as the type of reward. Together with you, we determine the next steps according to your requirements, resources and the circumstances in your company.
We clarify with you to what extent the internal specialist departments are involved and which interfaces are available. Together with you, we determine the scope of the assessment, the guidelines for Responsible Disclosure and the handling of incoming vulnerability reports from the community. We also define communicative processes and escalation channels.
If desired, our security experts analyze the defined testing scope using a pentest or code review before the bug bounty program launches.
Together with our security experts, the Bug Bounty Program is launched. Depending on the defined process, the incoming reports on identified vulnerabilities are validated and prioritized by our security experts. We take over the communication with the community and forward all identified vulnerabilities to the specialist department. The reward will be issued by your company’s representative in charge of the program.
Our security experts recommend measures to eliminate identified vulnerabilities and support you in executing those recommendations, if required. Optionally, we take over the communication with all involved specialist departments for you.