Why did your company decide to utilize Bugcrowd?
WHMCS selected bugcrowd for a number of reasons to handle our Bug Bounty Program:
- We wanted to streamline payouts without the backoffice administration burden. Managing security submissions is a challenge in itself, but the overhead of tracking and completing payouts was a challenge that bugcrowd solved for us.
- We wanted someone to initially vet security reports. A bug bounty program generates lots of noise. Identifying, vetting, and narrowing the focus of validated vulnerabilities was essential to the success of launching this program.
- The final decision was based on Bugcrowd’s flexibility to shape the program to our needs. Throughout learning the problems we faced, Bugcrowd identified solutions and workflows that fit nicely into our company and current process.
Are you concerned with having so many security researchers test your app?
Not at all, in fact getting security researchers to test applications is normally very challenging. Bugcrowd not only provided us a pool of security researchers, it made existing client onboarding very painless. Anyone that wants to participate as a researcher can do so in less than 30 seconds.
Does the risk of a researcher exposing a vulnerability concern you?
Disclosure is always a concern when dealing with security, but having protocols in place, communicating with security researchers, and having a bounty program that rewards them for reporting allows us to take corrective action, which is beneficial.
How does Bugcrowd compare to a penetration test or other security methods?
Bugcrowd is in a unique class compared to penetration testing and other security methods. Each play a vital role in application security, with Bugcrowd giving WHMCS a public facing method for security researchers to report and be rewarded for their efforts. Penetration testing, security compliance and other security measures all come into play, however they each have their own role in application security.
In your own words, describe Bugcrowd to a colleague.
Bugcrowd is a fully managed Security Bounty program that provides services that include vetting, analysis, and protocol based communication for application security. As a partner in our application security, they provide us with the ability to easily manage a bounty program and handle most aspects from submission to payout.