Prior to Bugcrowd, how did your team address crowdsourced security?
We ran our own bounty with our own security page. It worked okay, but it was a mess to handle through email and the quality of submissions we received were generally very low.
Why did your company decide to go with Bugcrowd?
Bugcrowd's Crowdcontrol platform gives our company's disclosure program legitimacy and does a lot of work in giving our submission requirements the acknowledgment they deserve. It’s great to have everything handled in a single location, where I can see tester quality and have some structure around duplicates, bad submissions, and also for giving credit where credit is due when we get a great submission.
How many members are on your security team, and what is your current process?
We have 2 of the 4 team members that work on security at the app layer and the infrastructure layer. Having built webapps for a while, we’re generally pretty good at catching security issues before they crop up, but the less obvious or novel issues are generally the ones that can threaten your business. We love that Bugcrowd is a good second level of defense to catch issues before it’s too late.
Are you concerned with having so many security researchers testing your app?
Not at all, the more the merrier. The platform does a great job in helping us manage the volume, but we’re 100% happy to give rewards and recognition where it’s due. The testers spend their time and energy to help make our app and infrastructure more secure, and we’re happy to compensate them accordingly.
How would you describe the Crowdcontrol platform to a colleague?
Crowdcontrol makes my life not suck :). Security has traditionally been a very closed, hush-hush topic, but the benefits of getting everything into the open far outweigh the security-by-obscurity or security-by-silence approach that Bugcrowd and Crowdcontrol improve upon. Its sensible tools and transparent process allow us to get back to doing what we do best - shipping awesome products to our customers.