Crowdsourced security: How to run an effective bug bounty program

November 1, 2022

What if you could expand the way you found vulnerabilities in your application by tapping into a global community of security researchers?

Bug bounty programs are quite mature in larger overseas markets, such as the US. But here in New Zealand, and even in Australia, the concept hasn’t been explored in too much detail.

That’s where Ankita Dhakar comes in—founder of crowdsourced security platform, Capture The Bug, and cybersecurity expert.

In this blog post, you’ll learn from Ankita:

  • The definition of crowdsourced security
  • How it works in terms of a business model
  • The cost to run your own bug bounty program
  • The advantages of running an effective program

Let’s get into it.

What is crowdsourced security?

Crowdsourced security is an initiative that rewards individuals to identify and report vulnerabilities. As it’s a fairly new concept in New Zealand, Ankita’s business Capture The Bug is now tasked with showing the true value of running a program that rewards security researchers for exposing risk in applications.

Ankita explained:

“We’re seeing more and more complex applications being developed. We’re seeing new vulnerabilities popping up each day. Having this global community of security researchers by our side makes us more capable of fighting against the bad actors.”

How does the business model work?

For Capture The Bug, there has been worldwide interest from 200+ security researchers. They’re not employed by the business, but they’re verified and vetted to make sure that other businesses have confidence in adopting the new model of crowdsourced security.

As cyber attacks rise and complex applications are built each day, we’re in an era where there is a lack of cybersecurity professionals. This means that a bug bounty program can ensure that there are security researchers constantly looking at your application and reporting any vulnerabilities to you.

“There’s always a high chance there is a vulnerability in your application and that could be exploited by a bad actor before you do the next pen test,” said Ankita.

What is the cost for businesses to run a bug bounty program?

The question on everyone’s mind: how much do I have to pay if a vulnerability is found.

According to Ankita, it depends.

“There are two types of programs. One is a vulnerability disclosure program and one is a bug bounty program. With a vulnerability disclosure program, there is no requirement for a business to pay for a vulnerability. And the other way is by bug bounty program where it depends on the budget, the size and the impact that vulnerability causes to your application.”

When it comes to actually paying your researchers, “there are no hard and fast rules.” Ankita recommends that this decision is based on your particular business and the risk appetite you have.

What are the advantages of an effective bug bounty program?

The greatest advantage: “You’re showcasing to your community, to your customers, that, hey, we take cybersecurity seriously.”

Ankita says that by hosting your bug bounty program on a platform such as Capture The Bug, there is more of a global reach and access to the security researchers that can find vulnerabilities in your application.

For the full interview with Ankita Dhakar, check out our YouTube channel. New episodes of the Upwards podcast are released every Friday. Listen to this episode below.

Unbeatable cyber resilience 🦹

Winner of 2021 iSANZ Best Startup

"We wanted a solution that was fit for purpose, reflecting our age and stage, while delivering the outcomes we wanted for our customers and people. After looking at what was available, Onwardly stood out as serving this purpose perfectly."

Kendall Flutey

Founder & CEO