What is a Private Bug Bounty Program?
A bug bounty program offers an award to ethical hackers for discovering and reporting a security vulnerability on the organization’s systems. Private programs are either kept confidential and not publicly disclosed or may restrict participants to only those that are invited by the organization.
Over the last few years, bug bounty programs have gained wider adoption across all industry sectors including government, financial services and technology. Engaging the white hat community provides the organization with access to a diverse group of professionals with different capabilities and experience for a more comprehensive approach to vulnerability discovery.
Our Hybrid Model
A hybrid approach combining the benefits of both penetration testing and bug bounty models.
Penetration Testing Plus Bug Bounty
Both penetration testing and bug bounty models have their pros and cons. A hybrid approach can offer the best of both worlds – complete coverage and deep diverse expertise. We start each project with our core team using industry-accepted methodologies, then bring on the Swarm to find vulnerabilities that may have been missed.
Expertsourced Not Crowdsourced
Unlike other bug bounty platforms with tens or hundreds of thousands of registered users, we only work with less than 100 handpicked professionals with a proven track record. Working with an expertsourced team helps you avoid the point of diminishing returns and maximize the effectiveness of your vulnerability discovery with false positive rates of less than 10% and lower triage costs.
Assurance Not Suspicion
In addition to our careful selection process, all members of the Swarm undergo an identity and background check before we onboard them with a legal contract. All testing traffic is routed through our system which means you see tests from a single IP address and can differentiate between legitimate testing and actual malicious attacks.
Visibility Not Obscurity
Ever wondered what your penetration testers or bug bounty hunters are doing or even doing anything at all? Now you can. We capture all testing traffic to analyze the security researcher performance, attack methods used, etc. This gives you greater visibility and the ability to incentivize and direct the security researchers to areas of higher priority.
Cost Effectiveness Plus Predictability
Our hybrid approach uses a fixed and performance-based cost model which provides you with greater cost effectiveness and predictability. Bug bounty models are extremely useful for continuous discovery of hard-to-find vulnerabilities but may not be the most cost effective if the same bug can be easily found through regular penetration testing. By combining both approaches, you can get a higher return for your limited budget.
Get complete visibility on who is working on your program, where they come from, which targets are most actively tested, what are the vulnerabilities being tested, and much more. Use this data to fine tune your program for better performance.
Frequently Asked Questions
What targets are suitable for a bug bounty program?
Bug bounty programs can be adopted for any information technology product, from web and mobile applications to TVs.
The most common use case is for web and mobile applications that can are accessible over the public internet.
How many participants are invited for a program?
We recommend engaging 20 to 40 participants as an optimal balance between hacker diversity and motivation, and program manageability.
What is the award per bug?
Participants are awarded based on the severity of the vulnerability discovered.
We will work with you to design an award structure that maximizes discovery of high-value security bugs.