M.27) Use bug bounty programs

Category:        Product Security

Responsible:   PSR, CTO

Effort:              1 hour

Based on:      BSI IT Grundschutz M 5.150, author recommendation

There exist multiple platforms which offer so called bug bounty programs. On these websites companies pay the crowd (people from all over the world) if they find vulnerabilities in their software. This makes such websites to external penetration testing programs. Many well-known startups use these kind of programs, like UBER, Github, Dropbox, Slack, NewRelic, LastPass, OWASP, Fiat, Barracuda, Western Union, Pinterest, and many more.

The PSR and CTO should define which parts of the product they want to get tested by the crowd and how high they reward the people who find bugs.


https://bugcrowd.com, https://hackerone.com



The information contained in this website is for general information purposes only. You can find more information about the accuracy of the information on the disclaimer and terms and conditions pages.