• The world has been online for a long while now and people are aware that websites can be compromised.  A "Bug" is an error in website code or some key functionality that when discovered can be exploited.

• Remember the Old Western movies? In the town square there would be a Bounty Board?  The exact same thing exists now but it has been virtualized.  A company posts onto a Bug Bounty Board, freelance hackers see the bounty and perform standard "hacking" tasks until a bug is found.  The hacker writes a report about the bug and submits it to the company and the company pays the hacker for finding the bug.

• Web technology changes so much. Tactics, Techniques and Procedures of threat actors is changing all the time as well.

• There is more awareness now that it is not just rogue adversarial hackers compromising websites but,  literal nation sponsored crime groups and even competing businesses are hiring criminals to attack your website.

• As soon as you publish a website it is almost immediately being scanned for vulnerabilities.

• With a Bug Bounty, you are aware of the activity and you have some peace of mind that a professional will tell you where your site is weak.

• Typical bug bounty reports come in three threat categories (Low, Medium and High).  A high threat is basically, if this is not patched soon you could lose everything.  Low threats are for informational, it's not great but really a bad actor can not do much with the information.

Q: "How does a company get started with a Bug Bounty?" 

A: It's not straight forward, you would have to pull someone from their work and get them to research any of the hundreds of available programs.  

Q: "How much do I have to pay?"

A: It depends on the the organization.  Tesla for example has the funds to pay $100,000+ for a High threat bug.  Generally speaking though the average for a low threat bug is $100-150, medium $500+, high $1500+

Remember, that is not a flat fee.  That is per bug.

Q: "Who will do the hacking?"

A: Who knows! it could be someone from the other side of the planet.  An important question you need to ask yourself is "What are the ethics of this person I don't know and have never met?"

• You will know us.  We will have a conversation.  With that we will learn from you what your actual needs are.

• We use a project model and not per bug fee.  We will meet with you and determine a scope for the project.  From this we will agree on a flat fee and that's it.  There is no hidden cost, if we find 10 Low threats and 5 High threats it will cost the same as if we found 5 Low and 10 High.

• Project model allows you to budget effectively.  You will know exactly what the project will cost.

• Barrier to entry is low.  Do you want a basic scan of your website?  Or would you prefer an analysis of how "appealing" your website is to criminal hackers?  Whatever need your business has, RedBlue Labs is there to support you.