Introducing Bugcrowd
0 likes258 views
Bugcrowd provides managed security bug bounty programs for web and mobile businesses, aiming to protect against the rising costs of cybercrime. With over 1,500 professional testers and a successful operational model, they offer the benefits of bug bounty programs without the complexity and risk of self-management. The service has demonstrated effectiveness, yielding over 1,000 bug submissions and results that outperform traditional penetration testing.
Introducing Bugcrowd
- 1. Bugcrowd We run managed security bug boun4es for web and mobile businesses.
- 2. The system has failed “We are witnessing the greatest transfer of wealth in history” --NSA Director General talking about cybercrime. Last year the cost of cybercrime in Australia was $1.76bn. …and in the USA it was over $250bn
- 3. The story • Let me tell you about Joe… – Joe ran a successful Australian-‐based domain resale business – Joe had 1 security flaw in his web site – Bad guys found it and used it to take his domain and customer data – As a result Joe lost his business – The End • In 2012 64% of these breaches started with a single flaw • There are lots of bad guys with lots of different mo4va4ons and lots of 4me… And they only need ONE bug to get in.
- 4. • Old-‐style security and penetra4on tes4ng may help… Think of Joe. • But would it provide the same level of technical exper4se, coverage and up-‐to-‐date knowledge as a team of 30? 50? Or 1,500 mo4vated security professionals?
- 5. Security bug bounty Crowd-‐sourced security tes2ng. The good guys are given permission and incen2ve to find flaws and disclose them. They work brilliantly, but the problem for those of us who aren’t Google is that bug boun4es are hard to set up and difficult to run. Who runs security bounty?
- 6. • We take the success of the bug boun4es run by the big guys and makes it available to everyone • Our service gives you all the benefits of a bug bounty program, without the effort and risk of doing it yourself
- 7. Does it work yes
- 8. Does it work • 1,500+ testers registered – Professional qualifica4on: CISSP, CREST, CEH, etc. • 10 boun4es run, 4 in queue • No down4me • Testers are under NDA • Over 1,000 bugs submiced • 24/7 engagement and tes4ng cycle (sun is up somewhere)
- 9. Does it work • Testers are rewarded based on performance, not 4me! • $15k bounty yields becer results than similar scope $40k penetra4on-‐tes4ng engagement. • Out latest bounty (in progress) -‐ 6 hours elapsed-‐4me sample: – 150+ findings – Over 50 par4cipants – Huuuuge amount of man-‐hours and coverage. – It will run for a week!
- 10. Features • 30 minute kickoff – Sun is up somewhere. • Crowdcontrol – All tester traffic is routed though our infrastructure and the ‘client controls the crowd’. • Kudos points – Our security researcher ranking system – We want to be the Github for security people… An online resume of skill and experience • Private boun4es – Limit par4cipa4on to the highest ranked researchers
- 11. …hot of the press Par4cipants dona4ng their 4me to Bugcrowd’s charity boun4es will for the first 4me be able to earn professional development credits recognised by the Interna4onal Informa4on Systems Cer4fica4on Consor4um (ISC)2® for their CISSP® accredita4on.
- 12. Team • Casey and Serg (me) – Co-‐founders • Nick Ellsmore – Strategic advisor • Startmate – Mentor driven accelerator
- 13. Thank you!