The blog is authored by Jaan Anvelt, Chief Information Security Officer at Bigbank.
We’re excited to launch our new Vulnerability Disclosure Program with Bugcrowd today! You can find the VDP page here.
Bigbank’s managed Vulnerability Disclosure Program enables the company to scale its crowdsourced security approach by providing a coordinated channel and framework for engaging and maintaining a positive relationship with the security researcher community.
Bigbank specializes in consumer loans and term deposits, and is 100% Estonian-owned, with its parent company and main office located in Estonia. The group has branches in Latvia, Lithuania, Finland, Sweden and Spain and operates as a cross-border service provider in Germany, Austria and the Netherlands. Given the nature of the business, cybersecurity has always been top of mind.
We first launched a self-managed vulnerability disclosure program about a year ago, and quickly realized that even without the monetary incentives in place that a bug bounty has, we could not handle the barrage of vulnerability submissions. Add to that, the fact that the reports were not consistent, did not include all the right information, and came from different channels.
With Bugcrowd onboard as our partner, we can streamline the process for intaking vulnerability submissions. Much like a “neighborhood watch” for an organization’s internet assets, the program encourages security researchers to report something if they see something. Bugcrowd helps us handle incoming requests, filtering out false positives and duplicates, and unifying submission reports.
We use the vulnerability data security researchers submit to us via our VDP program, and layer it with the findings we have from other sources. As a result, we have been able to identify systemic issues that we might not have otherwise discovered – and at a much faster rate. We are excited to expand this approach with Bugcrowd.