Researchers play a tremendous role in the success of Bugcrowd programs. With more researchers joining the Bugcrowd platform to help make the world a safer place, we want to take this opportunity to outline the several program types you may encounter. By the end of this blog, we hope to equip you with everything you need to dive right into doing what you do best – finding vulnerabilities.
Bug Bounty
Bug Bounty Programs are the most common type of program on our platform. These programs allow researchers to choose how and when they want to test. Depending on the program’s reward structure, you can earn monetary rewards, kudos points, or a combination of both for discovering and reporting vulnerabilities.
Bugcrowd offers two types of Bug Bounty Programs – private and public. A Private Bug Bounty Program is invitation-only and is not published on the public-facing portions of Bugcrowd’s website. Researchers who have proven their abilities via public programs get invited into private programs. Bugcrowd takes pride in matching researchers with private programs that fit the researchers’ skill sets. It is a top priority for us to set our researchers up for success.
A Public Bug Bounty Program, on the other hand, is publicly available on Bugcrowd’s website, and can be viewed by anyone who visits our programs page here. Public programs allow any researchers on the Bugcrowd platform to join and begin testing immediately. Look through the list of Bugcrowd-managed public programs to choose the programs you want to test on and start building your skills today!
Vulnerability Disclosure Program
Vulnerability Disclosure Programs (VDPs) provide the entire security community a means for reporting and responsibly disclosing any security issues they happen to identify on the public-facing assets of companies hosting such programs. It’s important to note that VDPs are not meant to be a “kudos-only” version of a bug bounty.
While Bug Bounty Programs are often tailored to a set of assets that requires special attention, VDPs are meant to be catch-all programs that cover the entire breadth of a company’s internet-facing assets. As such, VDPs are often used as a way for organizations to identify previously unknown or untested targets that eventually would benefit from being migrated to incentivized Bug Bounty Programs.
While some Bugcrowd customers running VDPs have more limited scopes (for various reasons), we are always working to open the scope to help ensure that customers are more secure and have a better picture of their attack surface and assets (see this customer-focused blog we recently published for example strategies). We recognize that limited scope is not in the spirit of VDP programs and can sometimes create a negative perception towards VDPs within the Crowd; however, it’s important to be aware that it’s something we are working on — for the benefit of customers and researchers alike.
Bugcrowd strongly recommends that every organization has some form of a VDP, whether that is an intake form, a security@ email, or a public program – they help make sure organizations are made aware of threats as soon as the responsible parties identify them. Additionally, they also provide a great opportunity for researchers to start building relationships with program owners and become familiar with the process of disclosing vulnerabilities. You can search and access VDPs using Bugcrowd’s public program webpage. As a friendly reminder, please be sure to review a program’s details before submitting your reports.
Next Generation Pen Test
With an increasing number of organizations facing compliance initiatives that require strict testing methodologies and structured coverage reports, Bugcrowd launched Next Generation Pen Test (NGPT) to provide the effectiveness of bug bounties with the compliance-driven outcomes of pen tests.
All NGPT engagements are invite-only, and consists of both free-form testing and a methodology-driven assessment, the latter of which is typically two weeks. All results are collated into the final report. Prior to engagement kickoff, Bugcrowd will provide the researchers selected for the methodology portion with all relevant details for testing. This subset will also be provided a base pay amount (varies by size, scope, and target complexity) for completing the methodology, regardless of whether unique vulnerabilities are uncovered. If vulnerabilities are identified, NGPT testers will be paid a bounty reward for these findings as well.
As Bugcrowd is hyper-focused on researcher success on NGPT projects, you will also have continuous access to our dedicated Researcher Success team, who will answer any questions you may have throughout an engagement. Once the testing phase has concluded, you are often allowed to continue hunting though this does vary depending on the engagement.
If you have experience as a methodology-driven penetration tester or are interested in NGPT engagements, please reach out to us here and we’ll be in touch! Also, if you would like more information about NGPT, please reference this blog.
We hope this overview of Bugcrowd’s various types of program has cleared up questions you have and enables you to select the types of programs you test against. If you have any additional questions, always feel free to reach out to support@bugcrowd.com. Happy hunting!