Since 2013, security researchers have helped Bugcrowd change how the world performs security testing at scale. For many, that meant replacing traditional pen tests with the dynamic and continuous coverage only possible through crowdsourced programs like bug bounties. However, an increasing number of organizations face compliance initiatives that still require strict testing methodologies and structured coverage reports. To provide the results these organizations want, with the compliance artifacts they need, Bugcrowd launched Next Gen Pen Test (now called Pen Test Max) in November 2018. And as always, we need your help to make it successful.
In this blog, we will explore how Bugcrowd NGPT differs from our Bug Bounty programs, how you can get paid for time and findings, as well as what’s required to participate.
How do NGPT programs differ from Bug Bounties?
In its most common form, a bug bounty is a program that allows researchers to test in whatever manner they see fit. Some researchers may only hit functionalities they specialize in or those they presume to be more vulnerable, and others may choose not to test at all. A bug bounty allows you to choose what you wish to test on, and how you choose to test (if at all). This is remarkably effective for finding valuable bugs, but lacks the objective assurance often needed for presentation to auditors, stakeholders, partners, and more. This is where NGPT comes in.
NGPT provides the benefits of collective crowd creativity, with an overlay of targeted methodology-driven testing. Built-in workflows provide additional efficiencies by replacing the manual report writing process with automated results aggregation, triage, and standardized reporting. With this combination, Bugcrowd provides the economy and speed of a bug bounty program, with the compliance-driven outcomes of a pen test.
How does the researcher role change?
Security researchers selected for NGPT programs play one of two roles. The first mirrors the engagement of a researcher on an ongoing or on-demand Bug Bounty program. The second performs methodology-driven testing and receives compensation for their time via a grant. The grant amounts vary depending on the size, scope, and type of target(s) to be tested, and Bugcrowd provides the methodology the researcher uses for testing. Additionally, the researcher is also welcome to bug hunt and will be rewarded for their findings. For both roles, researchers are selected based on skills, trust, and experience with given target type.
What is the testing time frame?
While Bugcrowd programs with an NGPT component may run according to either an ongoing or on-demand schedule, the methodology portion typically lasts for roughly two weeks (some may go longer). Prior to the testing window starting, the selected researchers will be provided with all relevant details for testing (scope, requirements, timelines, deliverables, etc.).
You’re welcome to test where and when you’re able, but rest assured that you’ll have continuous access to our dedicated Researcher Success team. Communication is a researcher’s most valuable asset during one of these engagements, and we encourage researchers to communicate with us throughout so we can help clear up any questions or concerns.
This blog is intended for Bugcrowd security researchers and prospective testers interested in participating in our Next Gen Pen Test engagements. If you’re looking to implement NGPT at your organization, please contact Bugcrowd here.