Carolin Solskär answers Detectify Crowdsource FAQs

In the summertime, I shared my thoughts on how Detectify Crowdsource is not your average bug bounty program. Through this, we got some questions from the security community which I’m going to do my best to answer in this follow-up:

How does Detectify Crowdsource make hacking “scalable”?

Finding bugs is fun, but then comes the reporting part which may not be your favorite depending on how much you enjoy admin work. When Detectify Crowdsource hackers submit a vulnerability to us, we triage and then take care of reporting to impacted vendors for Crowdsource hackers. In other words, a single bug report from a researcher will alert all the affected Detectify customers at once without further admin work, AND they get paid for every unique instance found. Say goodbye manually reporting about every hit!

That’s right, the crowdsourced research from our community members goes into powering a dynamic web application security (DAST) scanner that continuously searches for vulnerabilities in our customers’ live and public (whether intentional or not) websites. 

What is a hit? 

A hit is generated when the submitted vulnerability is detected for the first time in the web apps monitored by our user base. It’s possible that a vulnerability is found in multiple web applications in a single Detectify customer. 

How does the reward model work? 

The hacker that submitted the vulnerability with a valid proof-of-concept will get a reward for every unique hit in our user base and this continues over time. Instead of a one-time reward, they’re rewarded every time it is found in a new customer giving a continuous flow of rewards for the same work. The more widespread the vulnerability, the more companies to be helped, and the more money paid out to the fortunate Crowdsource hacker.

Are all vulnerabilities rewarded the same?

Not all vulnerabilities are worth the same; the payout amount per hit depends on the technology version and severity. This information is only visible to the Crowdsource community members including the aggregated number of instances available in the tested customer base. 

We think it’s important for the Crowdsource hackers to know this in order to report bugs that will have a broader impact on the Detectify customer base. This also makes it easy for our community members to estimate potential hits and money earned for a vulnerability. 

What technologies are in scope? 

Detectify Crowdsource is open to receiving vulnerability reports for all sorts of web technologies. The most important criteria considered:

• Is the technology widely-used?
• Can Detectify fingerprint or profile the technology with automation?

Here’s a sample of technologies which Crowdsource hackers have reported security bugs in: 

Adobe Experience Manager
Atlassian Confluence
Atlassian Jira
Apache Struts
CakePHP
Craft CMS
Episerver
Joomla
WooCommerce
Apache Tomcat
Drupal
Gatsby
Google Cloud Platform
Laravel
Magento
Microsoft Azure
Node.js Express
Ruby on Rails
Amazon Elastic Load Balancing
Amazon Web Services
Apache HTTP Server
ASP.NET
Bootstrap
Microsoft IIS
NGINX
WordPress

Do all vulnerabilities submitted earn rewards?

If the valid submission with a severity rating between low to critical generates hits in the web apps of our customer base then rewards will be rewarded! Our rating guidelines are based on the CVSS version 2.0. 

Submissions that are marked as informational will not earn rewards.

What is a Guaranteed Payout?

Valid submissions that affect technologies specifically mentioned on “Targets & rewards” will get something called a Guaranteed Payout. This is an advanced payment to cover the first few hits even before hits are generated. The Guaranteed Payout is yours to keep regardless of how many hits are generated by the module. 

This is our way of saying,  “we’re confident that you sent us an impactful bug that our customers will get value from.” We want to show our hackers appreciation for all the hard work and passion for contruíbuting to making the Internet safer together. 

The exact amount given for the Guaranteed Payout will differ from somewhere between 1-5 depending on the bug, so upon implementation of the test you will get 1-5 times the amount for the first hit directly. 

Can you picture yourself as part of the Detectify Crowdsource community? Take our challenge and find out if you got what it takes! 

Apply to be a part of Detectify Crowdsource at https://cs.detectify.com/apply.

Automate web security with Detectify and gain access to expert ethical hacker knowledge. Stay on top of threats that go beyond the OWASP Top 10. It’s easy to sign up and give Detectify a try with a 2-week trial today. Go hack yourself.