industry
UNLOCKED
CATAWIKI MAXIMISES SECURITY ROI WITH BUGCROWD PEN TEST AND BUG BOUNTY
Catawiki , a leading European marketplace known for its commitment to crowdsourced and offensive security , has transitioned to Bugcrowd to utilise its unified bug bounty and penetration testing platform . By selecting Bugcrowd , Catawiki eliminated the need to manage multiple engagements with various penetration testing and bug bounty providers . The results from Bugcrowd ’ s penetration tests have played a crucial role in shaping Catawiki ’ s security roadmap .
Aristide Bouix , Head of Product Security , Catawiki , Netherlands
The situation
Catawiki runs Europe ’ s leading marketplace for special objects . It has 10 million unique visitors every month and needs strong security measures in place to ensure that auctions and online sales work seamlessly and without interference to protect its users ’ trust . To secure its products and reputation , Catawiki focuses on its web platform , where the auctions are run , and its internal API .
The company and its leadership have long been believers in crowdsourced and offensive security , where the good actors probe for vulnerabilities before they become a problem . Catawiki set up pen tests and bug bounties with the goal of rooting out vulnerabilities . However , its previous bug bounties and pen tests were not delivering the results it needed , with no pen test vulnerabilities found in 2022 .
The challenge
Catawiki needed a better solution . Although it had other controls in place to catch vulnerabilities earlier , it wasn ’ t confident that its previous providers had enough skilled ethical hackers to find the hidden vulnerabilities . Even when vulnerabilities were found , Catawiki felt they were basic and not directly impacting ones that an automated scanner could have picked up . During the tests themselves , prior pentesters weren ’ t very communicative , and Catawiki didn ’ t feel like it could focus the tests on the right areas of its product . Because of this lack of results , Catawiki found itself choosing different providers every year , burdening its security team with regular migration and onboarding work . Finally , after its last bug bounty provider found only two minor bugs and ended the bug bounty before Catawiki ’ s funds were even used up , the company decided to switch to Bugcrowd .
The Bugcrowd Solution
In considering its provider options , Catawiki found that Bugcrowd stood out as a leader in the crowdsourced and offensive security market . It ultimately chose Bugcrowd because it offers a well-unified bug bounty and pen testing platform – one place to do it all . Catawiki was excited by the prospect of using pen testing results to directly enhance the bug bounty program .
In the words of Aristide Bouix , the Head of Product Security at Catawiki : “ The bug bounty program provides added value beyond a pen test , but if it ’ s run through the same platform , its value is doubled .”
By choosing Bugcrowd , Catawiki stopped having to juggle multiple engagements with different pen test and bug bounty providers , and it no longer needed to port results from one provider to another . Furthermore , it could avoid the myriad onboarding and monitoring meetings that were part of its prior security efforts . Given these considerations and obstacles , Bugcrowd made the most sense .
Catawiki started with a Bugcrowd pen test . From the start , the process was transparent and controllable , which Catawiki felt had been missing with previous providers . Pentesters communicated frequently in Slack , detailing the surfaces they were going to test along with their methodology . There were also many pentesters available , allowing Catawiki to choose the right testers for its specific surfaces .
44 WWW . INTELLIGENTCISO . COM