Professional Documents
Culture Documents
Getting Started
Want to learn more about how your organization can leverage Bugcrowd’s Pen Test to exceed
compliance initiatives? Curious about our other security testing solutions? Contact us today!
www.bugcrowd.com/about/contact
Introducing the Bugcrowd Pen Test Portfolio
While many organizations share a need for compliance, not all have the same testing requirements or capacity.
Some seek continuous coverage, to match increasingly rapid development cycles. Others need shorter testing
windows throughout the year, as dictated by engineering workflows or budgetary and procurement cycles. Equally,
an organization’s appetite for tester incentivization may be shaped by its bandwidth to address vulnerabilities and
ability to maintain an elastic pool of monetary rewards.
To address these varied needs, Bugcrowd has launched a new approach to pen testing. Our Pen Test portfolio
offers two distinct solutions, Next Gen Pen Test (incentivized) and Classic Pen Test (project-based), which address
unique security testing goals. Both are hosted by the Bugcrowd platform, which enables them to leverage the
diverse expertise of the global hacking community, while still providing methodology-based coverage and essential
compliance reporting.
Bugcrowd’s Next Gen Pen Test (NGPT) pairs highly vetted and deeply experienced pentesters with organizations
that want to incentivize discovery of vulnerabilities to greatly reduce risk, increase go-to-market velocity, and
exceed methodology-driven compliance initiatives. By leveraging a fully-managed crowdsourced security model
backed by industry-leading technology, NGPT quickly matches and motivates the right skills for every program
without lengthy scheduling delays or costly overhead. NGPT’s unique incentivization layer rewards pen testers for
valid findings, increasing the volume and variety of critical vulnerabilities discovered over a shorter period of time.
Unlike traditional pen tests which deliver results at the end of the assessment, NGPT also provides immediate
access to vulnerabilities as they are received. Our in-house team of security engineers then triages, validates, and
prioritizes every vulnerability, while baked-in remediation advice, and SDLC integrations like JIRA and GitHub help
development teams fix fast. For organizations that want to keep pace with rapid development cycles, NGPT can be
deployed as an on-demand or continuous program, with premium SLAs, retesting, and coverage analysis included.
Chaim Mazal
Vice President, Head of Information Security, ActiveCampaign
“I could have called anyone to get a clean bill of health, but that’s not our business. We called
Bugcrowd because we wanted the most in-depth vetting of our security posture. It’s beyond
compliance — it’s about true risk reduction, and we wanted a great partner to get us there.”
Next Gen Pen Test - How it Works
All Bugcrowd Pen Test solutions are delivered via the Bugcrowd platform, enabling rapid setup, with access to fully
vetted testers and seamless workflow integrations for increased visibility and control. NGPT engagements begin
with Bugcrowd’s Trust and Triage Engine, which helps select, vet, and enable the right pentester based on skill and
experience, as well as additional factors upon request like geo-location, ID-verification, and background checks.
Selected testers then follow our BugHunter methodology (unless otherwise specified), which blends OWASP
Top 10, PCI, NIST, and Hi Trust standards, with industry best practices. For continuous engagements, additional
pentesters and security researchers apply their own tactics for expanded coverage and risk reduction. Our team
of in-house security engineers accepts, validates, and rewards incoming submissions on a rolling basis, to facilitate
faster remediation before a final report is rendered. Finally, Bugcrowd’s baked-in remediation advice and retesting
services ensures what’s found is also fixed.
Next Gen Pen Test is offered on-demand, or on a continuous basis. Where possible, continuous testing helps
assure coverage across the entire software development lifecycle. New code introduces new opportunities for
vulnerabilities, increasing risk between point-in-time security tests. While automated scanners provide continuous
coverage, they also produce extraordinarily high volumes of noise, making it difficult to find true signal in a
mountain of false positives, or low-risk “known-knowns.” NGPT pairs the value of continuous testing and always-on
platform reporting, with the compliance-driven requirements of structured, methodology-based testing as needed.
Methodology- Methodology-
Driven Test Driven Test
Security Coverage
Point-In-Time Point-In-Time
Traditional Test Code Test Code
Pen Test Release Release
Time
Classic Pen Test - Block Engagements For Testing When You Need It
Bugcrowd’s Pen Test portfolio brings the power of the Crowd to organizations with immediate compliance or
security testing needs. While Bugcrowd Next Gen Pen Test is defined by a layer of gamified incentivization,
Bugcrowd Classic Pen Test provides on-demand methodology-driven testing on a set, per-project rate.
A stackable pay-per-project model means every organization can now access thousands of thoroughly vetted,
and immediately available pentesters, while CrowdMatchTM technology ensures each is expertly assigned by skill
and experience. And because Classic Pen Test is powered by Bugcrowd’s advanced security platform, results
are viewable as soon as they are discovered and submitted, rather than weeks later. To help Dev fix even faster,
Bugcrowd validated and prioritized vulnerabilities can also be pushed directly into your existing security workflows
through integrations like JIRA, and ServiceNow. Classic Pen Test offers additional flexibility through add-ons like
expedited testing, executive reporting, and retesting.
Bugcrowd’s Pen Test portfolio offers customers freedom of choice in determining the testing style right for them. All
solutions benefit from the Bugcrowd platform, and can be further tailored to meet individual customer preferences.
CrowdMatchTM to quickly locate and enable the largest pool of experienced pentesters
SDLC integrations like JIRA and GitHub plus an open API to fit your security lifecycle
Vulnerability validation, prioritization, and remediation advice to help Dev fix faster
Continuous coverage for rapid development cycles and greatest risk reduction
Incentivized vulnerability discovery for more, high-value findings from top pentesters
The Bugcrowd platform provides access to a number of different crowdsourced testing solutions that complement
one another for increased risk reduction, and security workflow integration. The technology, people, and
processes that underly this platform enable rapid skill matching, fully managed vulnerability triage and prioritization,
real-time vulnerability access, and SDLC integrations to facilitate faster response and remediation.
All Pen Test portfolio programs support compliance initiatives through methodology-driven testing, yet are
differentiated from traditional pen testing in their ability to locate and activate ‘always-on’ resources from a pool
of hundreds of thousands of uniquely skilled pentesters and security researchers. Next Gen Pen Test supports
greatest risk reduction through a layer of incentivized gamification which rewards researchers for findings.
Advanced tooling like one-click retesting and features like Coverage Analysis and Premium SLAs further
distinguish Next Gen Pen Test from traditional testing. Classic Pen Test, on the other hand, provides greater
flexibility in time-blocked coverage through a more predictable pricing plan, and does not include a bounty “pool”
component for incentivization. Add-on features enable customers to build the coverage that’s right for them.
Richard Rushing
CISO, Motorola Mobility
“Planning a traditional penetration test is a painful process. There are a lot of hoops to jump
through, not to mention, scoping is difficult and the methodology is strict. Bugcrowd’s Next Gen
Pen Test leverages the crowdsourced security model to bring 10x the security coverage needed
for today’s application and the cost savings. You can’t beat it.”
Comparing Results - Bugcrowd Versus Traditional Pen Testing
LOWER OPERATIONAL
RAPID RISK REDUCTION MORE COST-EFFECTIVE
OVERHEAD
Setup times averaging under 72 hours Incentivized or project-based options Cloud-based, managed solution
with streaming vulnerability visibility help meet compliance goals within any seamlessly integrates into your existing
reduces both risk and overhead budgetary framework. More findings SDLC for frictionless operation; workflow
compared to traditional methods. reduces cost-per-vulnerability automation reduces time in platform.
On-demand Pen Testing is a great choice for organizations looking for a Crowdsourced
Security replacement for periodic penetrations tests.
Continuous Pen Testing is useful for high-value targets or for organizations with agile
development that contributes to dynamic attack surface.
Bugcrowd’s industry-leading crowdsourced security offerings are based on three key elements:
• Continually assessed for skills, experience, • Remediation acceleration through baked-in • Vulnerability triage, validation, and
and performance; ID verification, and security workflows to eliminate overhead and remediation advice through our in-house
background checking. reduce risk of human error. team of Security Operations experts.
• Hundreds of thousands worldwide provide • Visibility into vulnerability lifecycle, bounty • Ongoing health monitoring provided via our
rapid activation and 24x7 coverage. pool, and pentester activity. team of dedicated Account Managers.
• Diversity of backgrounds and attack • Seamless integration into your SDLC and • Pentester management, payout guidance,
methodologies support a broad range of security systems and processes; Bugcrowd’s and dispute resolution through our team of
targets (web, API, IoT, mobile). API facilitates all of your additional use cases. dedicated Researcher Success Managers.
Getting Started
Want to learn more about how your organization can leverage Bugcrowd’s Pen Test to exceed
compliance initiatives? Curious about our other security testing solutions? Contact us today!
www.bugcrowd.com/about/contact