Western Union Offers $5,000 Top Reward in Publicly Launched Bug Bounty Program
Posted by: Timothy Weaver on 03/16/2015 08:29 AM [ Comments ]
Western Union, the financial services and communications company, has announced an expanded bug bounty reward program.
The company has had a bounty program in place since 2014 on Bugcrowd, but it was private. However, the company has now decided to make its program public to allow all of the 15,000 researchers who have signed up on the crowdsourced security testing platform to report flaws.
Researchers who report bugs can earn between $500 and $5,000. However, there are items that are not eligible for the reward. They are descriptive error messages, brute-force attacks on the login and password reset pages, clickjacking, self-XSS, cross-site request forgery (CSRF) on pages available to anonymous users, logout CSRF, and flaws related to SSL settings. To see a list of all excluded items click Here.
David Levin, Western Union’s director of information security, said: "[Bugcrowd’s] testers dig deep in their testing. Not only will they take a URL and test it for many days, but they have also found what other systems have not identified. No system can be proven to have zero vulnerabilities, so continuous testing at this level of depth is great."
"Traditionally, financial institutions have been slow to adopt the crowdsourced security model, but the online world has grown so quickly and the cyberattacks against consumers have been so aggressive, it's clear the risk isn't going away," said Casey Ellis, CEO and co-founder of Bugcrowd. "We're thrilled to support Western Union both in their efforts to scale and manage their bug bounty program, and as they continue to pioneer the way for financial institutions of all sizes."
Bugcrowd is a successful vulnerability assessment platform that recorded increased revenue (11.3x) from 2013 to 2014. It includes companies such as Pinterest, Barracuda Networks, Silent Circle and Indeed.
Source: SecurityWeek
Researchers who report bugs can earn between $500 and $5,000. However, there are items that are not eligible for the reward. They are descriptive error messages, brute-force attacks on the login and password reset pages, clickjacking, self-XSS, cross-site request forgery (CSRF) on pages available to anonymous users, logout CSRF, and flaws related to SSL settings. To see a list of all excluded items click Here.
David Levin, Western Union’s director of information security, said: "[Bugcrowd’s] testers dig deep in their testing. Not only will they take a URL and test it for many days, but they have also found what other systems have not identified. No system can be proven to have zero vulnerabilities, so continuous testing at this level of depth is great."
"Traditionally, financial institutions have been slow to adopt the crowdsourced security model, but the online world has grown so quickly and the cyberattacks against consumers have been so aggressive, it's clear the risk isn't going away," said Casey Ellis, CEO and co-founder of Bugcrowd. "We're thrilled to support Western Union both in their efforts to scale and manage their bug bounty program, and as they continue to pioneer the way for financial institutions of all sizes."
Bugcrowd is a successful vulnerability assessment platform that recorded increased revenue (11.3x) from 2013 to 2014. It includes companies such as Pinterest, Barracuda Networks, Silent Circle and Indeed.
Source: SecurityWeek
Comments