The Bug Bounty Program

Engage independent security researchers worldwide
to hunt even the most elusive bugs in your security system


Let the best security hackers hunt your bugs

When hearing the term “bounty hunter” people usually think of the wild west where gunfighters received a bounty for hunting down “wanted” persons.

A bug bounty program is similar but in the virtual world and instead of “wanted” persons we are hunting bugs (errors, malfunctions). Here, hackers are receiving a bounty for identifying a software error as in reality all security issues are either software misconfigurations or software errors. And the more severe the error, the more generous the bounty.







Quick and cost effective for big or small companies

Hackers are increasingly targeting mid to small size companies as they usually have weaker cyber security defenses than large enterprises. These companies face two challenges; they are a preferred target and traditional cyber security measures are rather expensive and therefore challenging to implement. Our service aims to provide cyber security support to exactly those mid to small size businesses but we are not excluding large enterprises that are looking for an excellent but cost-effective solution.

We are matching hackers who search for bugs while complying with a pre-agreed set of rules with companies who want to implement ongoing security measures. Our service makes sure that your systems and applications are continuously checked, and you only pay if security issues are found.

Discover even the trickiest bugs

Get your systems and infrastructure checked for vulnerabilities on an ongoing basis


Engage collective expertise


First of all, they solve the “snapshot in time” issue of traditional penetration tests. With a bug bounty program, security tests take place on an ongoing basis and therefore provide continuous information about the security situation of systems and infrastructure. Therefore, companies gain uninterrupted insight into any security issues and can immediately take action to solve the problem(s). Nevertheless, we strongly recommend an initial thorough penetration test to set the stage and to fix all existing vulnerabilities. This allows a clean start, and you will pay only for vulnerabilities that will be found as time goes by.

The second aspect is collective knowledge and expertise. Instead of a small team of penetration testers, the systems of customers are constantly attacked by hundreds of security specialists ensuring a holistic approach.

An interesting side effect is that bug bounty programs increase the internal awareness of cyber security. Neither software developers nor vendors want to be confronted with ongoing issues caused by either of them.

Bug bounty programs used to be the domain of software giants like Google, Microsoft, AWS, and others as it was very difficult to organize and run such programs. With our platform and expertise, we are able to offer such a service also to small and medium-sized companies. We are able to extend the mechanics of a successful bug bounty program to all company sizes, this means you will pay only for the identification of verified vulnerabilities and impactful flaws.

We also provide support from a team of experienced experts who will advise you from the very beginning and guide you during the whole program as well as the process of closing identified security gaps.


The Black Box approach for maximum security

Already many years ago Internet pioneers like Netscape (the de-facto web browser standard at the time) launched internal bug bounty programs inviting their employees to report any bug they could find and receive a reward for doing so. It took a while until such programs gained momentum but today many companies consider bug bounty programs as an effective addition to their security measures. The crowd intelligence of registered ethical (friendly) hackers is constantly attacking your systems abiding pre-defined rules and hackers will be rewarded with a bounty (payment) for identifying verified security issues.

In contrast to penetration testing, such a program is an outside-in, black box approach. Testers (hackers) don’t have access to source information or other company resources. They approach your systems the way criminals would do.

Therefore, the ongoing result of a bug bounty program is a much shorter list of vulnerabilities compared to a white-box penetration test, but this is a list of actual issues that could be used right now by criminals. As the list only contains actual issues it allows you to take immediate action.

Another key difference of bug bounty programs is that there is continuous checking of your systems and applications, so updates and new releases are included in the process.

Organizations are sometimes hesitant to allow hackers to attack their applications but let’s be realistic – this happens in an uncontrolled way all the time so better get it done in a controlled way and discover issues before they can be exploited.

But bug bounty programs are not a panacea. They will help you to identify various vulnerabilities, but they won’t give you a complete understanding of all security mechanisms. It’s important to emphasize that many bugs could be prevented through changing the mindset of (your) developers and by ensuring that security experts are closely involved in the design or new applications. There is an important addition to DevOps called DevSecOps to address this matter. However, bug bounty programs are making a statement by letting hackers loose on (your) developers. This pushes security a big step up the corporate agenda and has the potential to trigger a cultural shift towards a greater focus on the quality and security of applications.

A very important part of the Bug Bounty Program is the platform provided by the company offering the service as the platform connects registered hackers with registered customers. Using the platform requires hackers as well as customers to confirm and abide by a set of rules defining the scope of the engagements as well as the level of identified vulnerabilities. Hackers are paid a bounty for identifying confirmed vulnerabilities, the higher the level (the more severe) the higher the bounty.

Pay only for what we discover

Bounty Payments are based on severity levels to allow consistent categorization using the Common Vulnerability Scoring System (CVSS) which is an open framework for communicating the characteristics and severity of software vulnerabilities.

Low

CVSS 0.1 – 3.9

€ 750
per vulnerability

Medium

CVSS 4.0 – 6.9

€ 2,250
per vulnerability

High

CVSS 7.0 – 8.9

€ 4,500
per vulnerability

Critical

CVSS 9.0 – 10.0

€ 9,000
per vulnerability

The severity level “low” can be excluded from the actual contract depending on customer preferences and environment. This is to make sure that the bug bounty budget is not eaten up by vulnerabilities that don’t matter.

Bug Validation means validating a bug (vulnerability) reported by one of the hackers to make sure it’s really a bug, it has not already been reported and to assign the correct severity level (see above).

Our packages include the validation and reporting of vulnerabilities but not the incident response and fixing of the vulnerability. These are additional services that can be contracted as well but would come at an additional cost.

Money Back Guarantee

If we are not able to identify and report any vulnerability within the first three months you may cancel the service without any cancellation fee, and we will return all payments you have made until tthat point.


Available Packages

Package

Contract Value

Initial Payment

Trigger for 2nd Payment

Platform / Month

Explorer

10,000

5,000

1,250

500

Starter

20,000

10,000

2,500

475

Bronze

30,000

15,000

3,750

450

Silver

40,000

20,000

5,000

425

Gold

50,000

25,000

6,250

400

Platinum

100,000

50,000

12,500

375



Launch your bug bounty program

Once you have decided on one of the packages you will receive a service contract with a detailed description of the service, the selected package and all the terms & conditions.

You will also receive your unique login credentials to our bug bounty portal where you later will find your validated vulnerability reports.

Contract Value means the total money amount you are prepared to spend on the service and that will be eventually charged either for validated vulnerabilities or over time for the monthly platform fee.

The contract value will be charged in two instalments, 50% when you sign the contract and the other 50% once the first instalment has been spent.

You may at any point in time decide to increase the contract value or to simply add another payment to your available budget.

Step by Step

Once the contract has been signed we will invoice the first instalment (see above). After receiving the payment, the service is started, and we will deduct the first monthly platform fee from the available budget. The budget (the first payment) covers the monthly platform management and bug validation fee, the remaining amount is considered your bug bounty budget depending on your contract value.

Whenever a vulnerability has been found and verified we will deduct the applicable bounty payment from the available budget. In case a validated vulnerability completely depletes the remaining bug bounty budget, we will still report the vulnerability but then the service will be paused until additional budget has been added.

If the available budget reaches the threshold for the second payment (25% of the initial payment) we will issue the second invoice and once the payment has been received it will be added to the available budget.

Whenever the bug bounty budget is exhausted the program will be put into paused state, but additional budget can be added at any time.

Cancellation

If you would like to cancel the agreement before your contract value has been depleted you can do so at any time but a cancellation fee of 50% of your total remaining bug bounty budget applies. For example, if you would like to cancel the explorer package after a few months where you still have a bug bounty budget of 1,000 Euro and the 2nd invoice has not yet been issued your cancellation fee would be Euro 3,000.


The Benefits of our Bug Bounty Program



Minimize cyberattack risk

Continuous, agile security assessment instead of one snapshot in time


Get uninterrupted insight

Access any security issue allowing immediate remedies


Access a wide range of expertise

Leverage the collective knowledge of our researcher community


Obtain diverse coverage

The more angles, the more testers, the more chances to find security risks


Gain total access

Total transparency and cost-efficient overview of bug reports


Get the most value for your money

Pay only for effective vulnerability test results and impactful flaws


Get immediate support

Verification support for vulnerabilities (triaging)


Choose what suits you best

Different packages to suit business needs




CONTACT US

Do you have any questions about our professional services?
We would be happy to make an appointment and advise you individually.

+386 1 320 78 80
info-cee@fastlane.net