|
|
|
|
|
|
by ahartman00
2881 days ago
|
|
|
"Would you consider contracting an outsourced CISO or a pentest with a security researcher that has reported vulnerabilities to you through your bug bounty program?" Budget permitting, this seems like a no brainer. I mean, they already have some familiarity with our app. The only thing I would be worried about is people gaming the system: finding some low hanging fruit or running their toolkits on a bunch of apps, then charging a lot of money and providing no more value. |
|
|
At the core, Federacy is a marketplace, and the surest way for us to constrain the transactions will be to make it difficult for startups to extract a lot of value. We’ll have to work hard on the tools (reputation, vetting, etc), for startups to trust and work with really talented researchers.
Not quite as important, I think, but also interesting is what tooling we can build to let researchers focus on the work they enjoy, and that adds the most value for startups. If we can make the reporting process more intuitive, they can focus more on research -- and less on writing traditional pentest reports.