industry
UNLOCKED
Success snapshot
Bugcrowd ’ s pentesters ultimately found four P2 vulnerabilities for Catawiki , including some that affected its API , which was a high-priority surface . The pen test results directly helped Catawiki shape its security roadmap . Aristide shared : “ We were able to reuse the content of this pen test report to shape our internal product security program roadmap and prioritise initiatives that go beyond the simple findings , as part of our engineering effort .”
The outcomes
After the pen test , Catawiki transitioned to running a managed bug bounty with Bugcrowd . Running both programs through one platform with Bugcrowd let Catawiki use the pen test results to catch the low-hanging fruit so that the bug bounty can yield more elusive vulnerabilities . With the bug bounty , hackers caught three times more vulnerabilities in the first two months of the engagement than the industry standard . Discovering more API bugs through the bounty also helped Catawiki develop its security roadmap even more effectively . In contrast to previous bug bounties , Bugcrowd ’ s bug bounty uncovered novel vulnerabilities .
“ These vulnerabilities had not been identified in previous pen tests or responsible disclosures until they were discovered through Bugcrowd ,” Aristide said .
With new critical vulnerabilities found , Catawiki was able to make a security roadmap to fix its most critical issues and secure its platform and API . Reflecting on the process , Catawiki mentioned that major benefits included the breadth of expertise available on Bugcrowd , the strong communication , and the ability to run pen tests and bug bounties through the same platform . With its yearly pen test concluded , Catawiki will continue to run its bug bounty to keep ensuring its auctions and online sales are secure .
We asked Aristide Bouix , Head of Product Security , Catawiki , Netherlands , further questions to find out more .
What prompted Catawiki to shift from its previous bug bounty providers to Bugcrowd , and what specific challenges were you hoping to address with this switch ?
At Catawiki , maintaining the security of our marketplace is paramount . Our previous providers faced challenges in maintaining an active community of security researchers , often needing to source participants externally . With Bugcrowd , we didn ’ t encounter this issue , as their established community of researchers was readily available . In fact , we worked closely with Bugcrowd to invite only vetted and trusted researchers to ensure a controlled environment , minimising any
At Catawiki , maintaining the security of our marketplace is paramount .
WWW . INTELLIGENTCISO . COM 45