At Austin OWASP Charles Valentine, VP of Technical Services
at Indeed, presented on “Case
Study: Key Takeaways from Indeed’s Crowdsourced Security Testing Program." Here's a recording of his talk: https://vimeo.com/channels/owaspaustin
Indeed, with a slogan of “We help people all over the world
hire and get hired”, prides itself on having a secure environment for both job
seekers and job providers to interact. They also have a rapid rate of change in
their application and data. For these reasons, they’re highly motivated to deal
with bugs, especially related to security, very proactively.
Indeed is careful to avoid “toxic assets” like credit cards –
they keep any financial transactions between individuals and banks, keeping
only a token for credit cards, rather than actual information. They also
acknowledge that with their rate of change, they need a way to find bugs
quickly. Charles emphasized what we all know is true: the faster you find a bug, the less cost to fix.
Of course, it’s possible to hire legions of testers and
penetration testers. It’s also possible to crowd-source this testing and enlist
bug bounty hunters to find the bugs.
Indeed chose to set up a bug bounty program using Bugcrowd. They pay between $50 - $1500 for
each bug that hunters find. So far, they’ve paid for 228 bugs, with an average
payment of $162.50. They typically respond within 7 days. They figure using Bugcrowd technology is
saving them about 80% of the administrative costs for the program.
