Release the Hounds! A look inside Bugcrowd. This was a presentation Casey gave at the Sydney Ruxmon Information Security meetup at Google in 2013.

1. Release the hounds! A look
inside Bugcrowd.
Casey Ellis
casey@bugcrowd.com
@caseyjohnellis

2. Summary
• I’m not here to sell you anything
– Unless you’re buying
• Quick overview of how Bugcrowd works
• Some stats from the bounties we’ve run and
general experience of how it all goes down
• Questions

3. About me
• 12 years in I.T.
• Started off technical then moved to the
business side, then went rogue
• Got bitten by the entrepreneur bug
– White Label Security, RDPCheck, others
• I know enough to *sometimes* ask the right
questions
– but right now I’m probably the dumbest guy in the
room.

4. Bug bounties are awesome…
• Just ask Google, Facebook, Paypal
• Lots of eyes == more bugs found faster
• Lots of eyes = diverse talent pool
• Theoretically continuous coverage
– If your rewards are big enough

5. …but hard.
• Just ask Google, Facebook, Paypal
• Overhead of managing the tester community
• Spurious findings
– Here’s Nessus scan, I can haz money nao?
• Managing payments to testers
• How do I cap my spend?
• How do I control the crowd?

6. Enter Bugcrowd!
(hat tip to @snare)

7. The gist of it…
• Managed bug bounties for web, mobile and
client/server apps
• “Came out of stealth” in December
• Founded by Sergei Belokamen (@sergicles) and I
• Nick Ellsmore (strategic advisor)
• Funded and mentored by Startmate Accelerator
– Validating and improve the idea and the business
model
– Off to Silicon Valley in April to raise capital and work
on the US market

8. How does it work?
• Ongoing bounties (a la Google)
– Bugs validated, scored & passed on “as discovered”
– Payments managed, etc
• Time-boxed bounties
– Kind of like a crowd-sourced pen test
– Client sets size of reward pool and duration of testing
– Fixed rewards
• Higher reward for the 3 most “creative” bugs
• Lower for the rest
– Report at the end of the bounty

9. What else?
• Kudos points
• Private bounties
• Crowdcontrol
• Free bounties for charities (awesomesauce)
• Charity or non-paid valid findings = ISC2 CPE

10. So, does it work?

11. A typical bounty:
• 2 mins – Clickjacking (EVERY. SINGLE. TIME)
• 0 to 6 hours – Lots of XSS, CSRF and other
“common” bugs
• 6 to 24 hours – Stragglers
• 24 hours + - The interesting stuff… bug
chaining, non traditional vectors, etc

12. Some stats
• 10 bounties
– 4 charity
– 2 private paid
– 3 open paid
– 1 malware bounty
• 1,500 testers
• ~ 250 active submitters
• ~ 1,000 submissions

13. 0-day?
• An unpatched security bug in 3rd party
software has been disclosed in 4 of the
bounties we’ve run so far
• OK, not really 0-day, but goes to show that
these guys are going reasonably deep

14. Total validated submissions
• Up to Beta 006
• 85 unique bug types (e.g. Reflected XSS,
storage-based XSS, SQL Injection,
authentication/automation, etc)
• 140 unique findings

15. Countries of origin
• Australia
• New Zealand
• UK
• Italy
• Germany
• Spain
• France
• Sweden
• Georgia
• Pakistan
• India
• Malaysia
• Norway
• South Africa
• Argentina
• Israel
• USA
• Iceland
• A lot of “known”
bounty hunters
• A lot of day-job pen
testers

16. General observations
• IT’S WORKING (mostly… still a lot to learn)
• Charity bounties work too!
• Running an accelerated start-up is wicked hard
work
• Start-ups and charities have no idea how bad
their appsec is
• Bug bounty on outdated Wordpress on GoDaddy?
– You’re gonna have a bad time

17. Next…
• More bounties
• Get some ongoing bounties going
• Get better at running these things
• Off to the valley…

18. Thanks! Questions?
• casey@bugcrowd.com
• @caseyjohnellis
• @bugcrowd