November 1, 2022
What if you could expand the way you found vulnerabilities in your application by tapping into a global community of security researchers?
Bug bounty programs are quite mature in larger overseas markets, such as the US. But here in New Zealand, and even in Australia, the concept hasn’t been explored in too much detail.
That’s where Ankita Dhakar comes in—founder of crowdsourced security platform, Capture The Bug, and cybersecurity expert.
In this blog post, you’ll learn from Ankita:
Let’s get into it.
Crowdsourced security is an initiative that rewards individuals to identify and report vulnerabilities. As it’s a fairly new concept in New Zealand, Ankita’s business Capture The Bug is now tasked with showing the true value of running a program that rewards security researchers for exposing risk in applications.
Ankita explained:
“We’re seeing more and more complex applications being developed. We’re seeing new vulnerabilities popping up each day. Having this global community of security researchers by our side makes us more capable of fighting against the bad actors.”
For Capture The Bug, there has been worldwide interest from 200+ security researchers. They’re not employed by the business, but they’re verified and vetted to make sure that other businesses have confidence in adopting the new model of crowdsourced security.
As cyber attacks rise and complex applications are built each day, we’re in an era where there is a lack of cybersecurity professionals. This means that a bug bounty program can ensure that there are security researchers constantly looking at your application and reporting any vulnerabilities to you.
“There’s always a high chance there is a vulnerability in your application and that could be exploited by a bad actor before you do the next pen test,” said Ankita.
The question on everyone’s mind: how much do I have to pay if a vulnerability is found.
According to Ankita, it depends.
“There are two types of programs. One is a vulnerability disclosure program and one is a bug bounty program. With a vulnerability disclosure program, there is no requirement for a business to pay for a vulnerability. And the other way is by bug bounty program where it depends on the budget, the size and the impact that vulnerability causes to your application.”
When it comes to actually paying your researchers, “there are no hard and fast rules.” Ankita recommends that this decision is based on your particular business and the risk appetite you have.
The greatest advantage: “You’re showcasing to your community, to your customers, that, hey, we take cybersecurity seriously.”
Ankita says that by hosting your bug bounty program on a platform such as Capture The Bug, there is more of a global reach and access to the security researchers that can find vulnerabilities in your application.
—
For the full interview with Ankita Dhakar, check out our YouTube channel. New episodes of the Upwards podcast are released every Friday. Listen to this episode below.
“The pre-built policy was one of the most valuable features for us. And the list of action items we needed to get better. I can tell the board that we have a security policy in place and we're working through the list of standards. It's a really easy way to get your security sorted. That's the main thing for us ⏤ it makes our lives easier.”
Tane van der Boon
Founder & CEO
The cyber resilience platform turning everyday folks into security superheroes 🦸
.svg)
.svg)
.jpg)
