14 DAY TRIAL // Bugcrowd’s platform for bug bounty programs announced that Western Union vulnerability rewards are now open to the public, the largest payment offered by the financial institution being $5,000 / €4,700.
Western Union and Bugcrowd’s partnership began in early 2014 with a private bug bounty program that could be accessed by testers only if they had an invitation. In time, the project became more refined and scaled so that the company could benefit from the best services.
Not all bugs eligible
Starting Wednesday, the program is open to the more than 15,000 testers and researchers in the Bugcrowd community. The lowest reward offered by Western Union for a valid vulnerability submission is $100 / €94.
On its Bugcrowd space, the financial company lists a set of security flaws that are not eligible for a reward; these include brute-force attempts on the log-in page, disclosure of public files or folders, clickjacking and issues exploitable this way, CSRF (cross site request forgery) flaws on contacts intended for anonymous users, log-out CSRF or issues stemming from SSL settings, such as insecure cipher suites being enabled.
The number of websites that can be tested by the bug hunters include the main domain, as well as the localized ones. The company warns that, since the websites share a core web application, a glitch found in one of them will be reproducible in all of them; thus, only one bounty will be awarded per vulnerability.
Bugcrowd keeps on growing
“Bugcrowd is a young company, and they continue to add more functionality quickly – they're a truly disruptive platform,” said David Levin, Director, Information Security at Western Union.
“Their testers dig deep in their testing. Not only will they take a URL and test it for many days, but they have also found what other systems have not identified. No system can be proven to have zero vulnerabilities, so continuous testing at this level of depth is great,” he added on Wednesday.
Bugcrowd is a successful vulnerability assessment platform that recorded increased revenue (11.3x) from 2013 to 2014 and attracted a growing number of security researchers, from 3,000 in 2013 to more than 15,000 at the moment.
On Thursday, the organization announced that it raised $6 / €5.6 million in a series A funding from Costanoa Venture Capital, Rally Ventures, Paladin Capital Group and Blackbird Ventures.
Its list of customers includes well-known companies such as Pinterest, Barracuda Networks, Silent Circle and Indeed.