How Okta’s Bug Bounty Program Augments Internal Testing and Delivers Incredible ROI

Augmenting Okta’s Internal Team with the Crowd

From the beginning, Okta, a leading provider of identity for the enterprise, has built strong offensive and defensive security functionality.They have maintained the highest standards of security testing both internally and externally–now the crowd is part of those efforts.

In early 2015, Okta’s security team, led by CSO David Baker, turned to the crowd through launching a private bug bounty program with Bugcrowd, who worked closely with their team to invite the top researchers to test their applications. With the help of Bugcrowd’s powerful triage and management support, Okta receives only high-value, ready-to-fix vulnerabilities, making it a key component of their vulnerability management program and SDL.

How the Crowd Maximizes Security ROI

Through continuous testing in earlier phases of design and development, their program gets as close to end-to-end security testing as possible. The volume of testing resources has delivered incredible throughput as depicted below in monthly testing volume from the crowd during their initial private program.

Furthermore, although bounty payouts vary with criticality and over time, Okta’s bug bounty program has actually ended up being more cost effective than other testing methods. This efficiency and effectiveness make their program key to their SDL and vulnerability management programs, supporting better utilization of internal resources and improved overall security ROI.

Private to Public

After an extended private bug bounty program with Bugcrowd, Okta opted to launch a public bug bounty program to leverage the full scope of Bugcrowd’s tens of thousands of cybersecurity researchers.

The program will augment Okta’s industry-leading security team and strategy to further enhance the security of the Okta Identity Cloud through working closely with the researcher community