Why did your team decide to adopt a bug bounty program?
As a financial services provider, security is obviously important to us. We incorporate security into our feature planning, development, quality assurance, operations, PCI compliance and 3rd-party vulnerability testing. Even with all of that, we find that the Bugcrowd program adds tremendous value to our organization in at least two ways. First, the community of researchers is constantly auditing our site looking for issues. Second, they are watching news for novel weaknesses and seeing if those issues apply to us.
For what reasons did your team decide to partner with Bugcrowd?
We had been administering our own program using a ‘security@’ email address and just found ourselves overwhelmed with responses. Switching to Bugcrowd has improved our efficiency in handling issues and improved the quality of the reports.
How many members are on your security team and what is your current process?
As a growing startup, the CARD.com “security team” is basically all of our developers. We see interaction with issues submitted through Bugcrowd as a way to help our team learn about security. The broader Drupal project has a Security Team of about 40 people, including three developers at CARD.com.
How cost-effective are the results when compared to pen-testing and scanners? What type of vulns have been discovered?
We’ve had very solid results via Bugcrowd. Compared to a traditional penetration test, bugs identified via the Bugcrowd community are a great value. Furthermore, traditional penetration tests are one-time events rather than ongoing efforts. Bugcrowd helps keep us safe. As an agile startup, we're constantly releasing new features and improvements to our applications, so it's great to have constant testing.
CARD.com provides Visa Prepaid Cards as a fun, fashionable and simple payments solutions for their members. CARD.com is safer than cash. All loaded funds are FDIC-insured through The Bancorp Bank; Member FDIC. You can load money in many convenient ways including with cash at Western Union and through direct deposit from your employer or federal benefits.