Bugcrowd adds ‘flex’ pricing model to bug-bounty programs

Idea is to get security researchers to vie to find unknown vulnerabilities in software.

Bugcrowd, the firm that offers a bug-bounty service program that brings together companies willing to pay to hear about serious software vulnerabilities and the security researchers that can find them, says it’s offering a new pricing model.

According to Bugcrowd CEO Casey Ellis, the “flex” pricing model is based on the idea that customers would share code they want to be examined by researchers for possible vulnerabilities and researchers that found bugs would share in a percentage of the total reward pool offered.

+ ALSO ON NETWORK WORLD How Bug Bounty programs bring big savings and better security +

The “flex” program augments Bugcrowd’s other type of bug-research arrangements, such as monthly pricing to use Bugcrowd’s platform that brings together thousands of security researchers claiming they’ve discovered serious security holes that these customers might be willing to pay for. “You pay every time you learn something you don’t know,” he added.

Ellis says Bugcrowd now has about 10,000 security researchers registered, and there’s a system for allocating “points” for findings over time, which shows which researchers are top-ranked in certain ways.

Founded in 2013 and based in Sydney, Australia, Bugcrowd acts as a broker to bring together the security researcher claiming to have discovered something serious with the company that would want to fix the problem in its code right away lest destructive hackers take advantage of it. Ellis says Bugcrowd helps “adjudicate” the process between the researcher and the company involved. Bugcrowd says the process encourages responsible disclosure of security flaws where researchers get paid for their efforts.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2014 IDG Communications, Inc.