BugCrowd

Owned by Diarmid Mackenzie
May 20, 2020
2 min read

BugCrowd have a 90d free program for COVID relief efforts, for which we would qualify.

Summary of their offer:

  • We put the BugCrowd embedded submission form on our website.

  • BugCrowd will help us to define an appropriate disclosure policy - with a Solution Architect assigned to help us.

  • This allows their Security Researchers to submit problems into BugCrowd’s system

  • BugCrowd ASE team will triage the bugs, de-duplicate them, and pass them on to us with guidance

  • Inegration with Jira & Slack both possible.

  • Anyone submitting a defect will be committing to BugCrowd to keep the details confidential.

  • This can be live ~2 weeks after a kick-off call. If we can execute paperowkr quickly, we can have a kick off call early next week (maybe by 26 May) and therefore have this live by ~9 June.

  • The program will be “points only”. Incentive for Security Researchers to gain points is that it can help them get invited to more lucrative paid engagements in future.

  • For now we’re being supported by the UK team - this is based on my initial request mentiooning my location as Europe. They say it won’t be a problem to change this if we need, but I expect it is fine.

What are the limitations?

  • BugCrowd will not be promoting this on their own website, or explicitly directing security researchers to the product - we will have to drive people to this ourselves. This would be available as a paid option.

  • The free offer is only for 90d. BugCrowd are yet to determine what they can offer in the COVID releief program after 90d.

Next steps:

  • There will be a zero-value contract which we’ll have to sign. I will pass this to Sam to handle.

  • Then we can have a kick-off call next week.

  • And be live by ~9 June.

Things to co-ordinate from Safe Paths' side.

  • We’ll need a page on the website, which we can embed the Bug Crowd submission form on. I’ll reacch out to the website team on this.

  • For MVP1 launch, we’ll need some different text on the website, with e.g. an email address, and info that BugCrowd is coming soon. I think it’s unlikely we’ll get a lot of interest before we can get BugCrowd up, but we should not risk having nothing. Again I’ll co-ordinate with the website team.

  • We’ll need to set up Jira & Slack integration. SHould be straightforward enough.

  • We’ll need a primary contact for BugCrowd - assume that’s Diarmid for now.

Other points to close internally

  • My view is we should go for the free program, and evaluate how this goes before considering a move to a paid program - just need to confirm Sam agrees.