Vulnerability Management Isn’t Scalable, But Bug Bounty Programs Are

Every security team knows how important patching vulnerabilities is — the problem is that it takes lots of time to do. In fact, research shows that it takes organizations an average of 60 days to patch critical risk vulnerabilities, and with 18,371 vulnerabilities discovered in 2021, there’s too many for a single team to patch alone.
However, bug bounty programs are providing an answer to this predicament by incentivizing a crowd of external security researchers to discover and remediate vulnerabilities in exchange for a fee.

Today alone, enterprise insights platform Stravito, which provides organizations with a SaaS platform to store, discover and integrate market/consumer insights, announced the launch of a new bug bounty program in partnership with Intigriti.

For Stravito, the program provides an opportunity to build on its recent ISO 27001 certification, and mitigate potential vulnerability management risks that put customer data at risk of exposure.

Bug bounties: The answer to vulnerability management complexity?
More broadly, Intigriti and Stravito’s partnership highlights that bug bounty platforms provide enterprises with a powerful tool they can use to enhance the capabilities of in-house security teams and mitigate an ever-growing number of vulnerabilities at scale.

The announcement comes as more and more private and public organizations are experimenting with bug bounty platforms to discover and eliminate vulnerabilities in their technology stacks, including the DoD, Google, Uber, Microsoft and Apple.

Stravito, which last year announced raising $14.6 million in series A funding, is one of a growing number of smaller providers turning to cloud-sourced security to secure its systems against modern threat actors.

Although, it’s important to note that a bug bounty program isn’t designed to replace an onsite security team, but to augment their existing efforts.

“Our Bug Bounty program ties in directly with our DevSecOps teams (through our incident-management processes and software-development lifecycle), both for remediation of vulnerabilities but also as a feedback loop to educate our DevSecOps engineers, raising the bar and minimizing future bugs and vulnerabilities,” said Thor Olof Philogène, founder and CEO of Stravito.

At the same time, automation has a critical role to play in enabling an organization to integrate and action the findings of external researchers.

“Automation is also key, both for detection of potential bugs and vulnerabilities (SAST and DAST) and to scale our capabilities to show compliance to clients, auditors and regulators (compliance as code) both now and in the future,” Philogène said.

Reviewing the bug bounty market

The announcement comes as researchers anticipate the global bug bounty market will continue to grow, valued at $223 million in 2020 and anticipated to reach $5.5 billion by 2027.

Within the market, Intigriti stands as one of the leading European bug bounty providers, earlier this year raising over €21 million as part of a series B funding round for its bug bounty and vulnerability disclosure platform.

It’s competing against other prominent vendors in the market including HackerOne, a bug bounty platform with automated bug testing, remediation guidance and automated trigger actions that activate based on vulnerability severity. HackerOne raised $49 million earlier this year, bringing its total funding amount to almost $160 million.

Another competitor in the space is Bugcrowd, a provider offering a combination of attack surface management, penetration testing and automated workflow-driven bug bounties. Bugcrowd most recently announced raising $30 million as part of a series D funding round in 2020, bringing its total funding to over $80 million.

This post was originally published by VentureBeat on

Related posts