The appeal of a bug bounty program, which is one approach to crowdsourced testing, is to one-up traditional penetration testing approaches by having a multitude of ethical hackers make assessments with stronger incentives for hackers to find results, getting you closer to a true adversarial perspective.
The more perspectives and the stronger the incentives, the more creative the testing will be, and ultimately the better the results. Additionally, the crowd provides a wider range of expertise, ensuring that the testers have the skills needed for your assets.
Bug Bounty is a feature of what we do, but Synack ultimately goes further beyond by providing bounty-driven testing with a highly-vetted elite crowd, and combining the testing process with an integrated technology platform. This means you get the scale and rigor of bug bounty, with the control, efficiency and quality that’s unique to Synack, resulting in 30% higher ROI compared to other crowdsourced solutions.
Just who is in the crowd in our crowdsourced approach? Unlike most bug bounty programs, our customers’ assets are not available to simply any hacker willing to contribute. We open testing only to ethical hackers who have been thoroughly screened and tested; only a minority of applicants are accepted into the Synack Red Team, or SRT. This means that we provide the top talent in whitehat hacking, and can also vouch for a history of quality contributions from the team members. Additionally, we can assign a subset of the SRT appropriate for the job, whether that be based on the tech stack or regional/legal requirements. Furthermore, this vetting process minimizes risk associated with unvetted hackers.
Before engaging with unvetted bug bounty hackers, organizations need to be well-informed of the benefits of a comprehensive crowdsourced platform and the potential risks of working with the wrong crowd.
Without proper crowd standards, quality assurance, or technical controls and management, hack bounty programs can introduce unwanted risk and operational burden into an organization. In a typical cyber security bug bounty program, there could be thousands of bug bounty hunters of varying expertise, generating noisy results of varying quality. As mentioned, one of the key benefits of bug bounty is the access to more researchers, and thus more vulnerabilities. However, organizations often fear an influx of vulnerabilities and lack of resources to appropriately manage and triage even the valid vulnerabilities. Behind every critical vuln, there are numerous false positives and low-quality vulnerabilities to sift through as well. Furthermore, it can be daunting managing communication with a crowd of hackers. Synack offers a high-level of control, quality, and insight that is not as accessible in traditional open bounty bug programs.