Guest post by Anna Westelius, Senior Director of Engineering, Arkose Labs
Arkose Labs is thrilled to launch a private bug bounty program in conjunction with its public bug bounty program with Bugcrowd — the #1 crowdsourced security platform. The private program scope will be revealed to Elite hackers who are invited to participate, while the public program will continue to be open to all of Bugcowd’s hacker community.
Arkose Labs is an authentication system solving multimillion-dollar fraud problems for the world’s most targeted businesses. With a bilateral approach that combines telemetric decisioning and a proprietary challenge—response mechanism, Arkose Labs remove the economic incentive attackers rely on to commercialize inauthentic activity.
As a security company with an end-user facing product we’re likely targets from a wide range of attackers with a lot of financial incentive. To ensure maximum protection for our clients, these products must undergo the most stringent and thorough security testing throughout the development lifecycle and prove effective and efficient.
To that end, Arkose Labs does extensive testing on all its releases, including third-party security testing and internal testing of challenge mechanics. Because of the nature of the business, Arkose Labs deal with unique security challenges as well. Cracking our challenge–response mechanism, Enforcement, requires a very specific skill set that is not necessarily common in combination (machine learning + hacking), which makes hiring for the role difficult and may not be as effective.
With a private crowdsourced security program, Arkose Labs gains access to Bugcrowd’s Elite Crowd, and is able to tailor its testing pool based on specific skill sets, has more direct communication with a smaller group of testers, and harnesses the power of the crowdsourced model while retaining more control.
The Bugcrowd Elite Crowd is comprised of the top researchers, measured in two key areas:
- Skill — A standard of high-impact submissions, averaging only high and critical submissions across a range of specific attack surface areas.
- Trust — Proven trust through ID verification and success working on private programs for top customers.
After launching the public bounty program in the fall of 2018, we saw significant value in crowdsourced security, specifically around the value added to the development process. It’s not just the after-the-fact testing you get with traditional penetration testing. Utilizing crowdsourced testing as an additional validation step during development allows us to test features against “real world” attackers before release.We also gain continuous assurance of the stability and strength of our various product features and insight into how attackers might go about exploiting them. These benefits guide the future of our security design with working knowledge on the reliability of challenge mechanics deployed through Enforcement.
Of course, when we first set out on this journey, there were apprehensions. We worried that the Crowd wouldn’t consist of enough experts within our field, given that we are in a very narrow speciality, and we worried about making our systems available to potential “gray hats” who’d use the program to gain access to resources which would further allow them to exploit. However, we quickly found that Bugcrowd mitigated all those fears, demonstrating ROI and flexibility to work with our specific needs right from the onset.
We’re excited to be launching this private bug bounty program to build on our defense-in-depth strategy. Bugcrowd is a valued partner in extending our security team with hundreds of highly skilled and diverse whitehat hackers, and a team of security experts that help us triage vulnerability submissions as they come and manage the ins-and-outs of our crowdsourced security programs.