Identify and address vulnerabilities with our Bug Bounty platform
Our unique and flexible Bug Bounty platform protects your systems from the latest cyber threats
LRQA’s Bug Bounty gives you real-time access to our world-class security experts
A Bug Bounty is a program that allows organisations to reward ethical hackers (sometimes called white-hat hackers) for identifying and reporting security vulnerabilities in their systems, applications, or infrastructure. By leveraging a global network of skilled cyber security experts, companies can continuously test their security defences in real-world scenarios. This proactive approach helps prevent costly breaches, mitigates risks, and enhances overall security posture.
Vulnerability research and offensive security software development are part of who we are and our extensive experience in government systems, critical national infrastructure, core global financial systems and more has enabled us to create a Bug Bounty program like no other. Our flexible platform reveals an organisation’s cyber vulnerabilities based on the threats you care about the most and gives you real-time access to our highly skilled team of security-cleared professionals.
Award-winning expertise
Our cyber security team continues to achieve multiple vendor certifications, highly respected industry accreditations and international accolades, demonstrating the breadth, depth and impact of their services.
Only pay when we discover vulnerabilities
With a Bug Bounty, you pay for results. If we do not find vulnerabilities, you do not pay.
Always on
The vulnerabilities we identify in your systems are reported through our always-on Bug Bounty platform.
Vulnerability severity scoring
Each vulnerability is rated according to its CVSSv3 score. We provide the vector string so that you can see exactly how we arrived at a given score.
Experience
We are trusted to conduct penetration testing against government systems and critical national infrastructure and we bring that experience to our Bug Bounty.
Our approach
We typically use Bug Bounties and Penetration Tests together to strengthen your cyber security maturity. Both approaches provide assurance in a complementary manner as follows:
Understanding your objectives
After taking the time to fully understand your security objectives, our expert team will design a threat-led Bug Bounty program that will meet those goals.
High-quality testing by security-cleared experts
Our security testing is undertaken by our team of background-checked professionals, while the program is managed by an experienced Bug Bounty program manager. These two entities work together to ensure that every finding is rigorously quality-controlled, objectively measured and promptly published. Each vulnerability is rated according to its CVSSv3 score and we provide an impact statement, a walkthrough of exploitation, screenshots, reproduction instructions and remediation guidance.
A dedicated platform
We interact with you via our Bug Bounty platform as much as you need, working with you until you are confident in your remediation approach. Once you have remediated a vulnerability, we retest it and confirm that your fix was successful. If we find a vulnerability in vendor-supplied software, we can use our mature coordinated disclosure team to ensure that the vendor issues a patch promptly – all free of charge.
Executive debriefing
We provide a personalised, executive reporting and debriefing service. This typically happens at the end of your Bug Bounty program or periodically; whichever makes the most sense for your organisation.
Why work with us?
Continuous assurance
Our cyber security experts detected over 15,500 vulnerabilities through penetration testing during 2023.
Industry leadership
We lead and shape industry on advisory boards and councils including the PCI SSC Global Executive Assessor Roundtable and CREST councils in the Americas, Asia, EMEA and the UK. We are certified by a range of governing bodies including the payment card industry and are approved as a Qualified Security Assessor.
Everywhere you are
Operating in over 55 countries, with more than 250 dedicated cyber security specialists and over 300 highly qualified information security auditors across the world, we can provide a local service with a globally consistent dedication to excellence.
Award winners
We have been recognised for the breadth and depth of our services – including the TEISS Award for Best Penetration Testing Service in 2024, Enterprise Threat Detection and Cloud Security awards at the Security Excellence Awards 2024 and the Stratus Award for Best Managed Cloud Security Service.
Our Bug Bounty is a unique and flexible platform that gives you:
- Access to a highly skilled team of security-cleared security professionals.
- Vulnerability findings that no other program will reveal.
- Integration with third-party tools such as Jira and ServiceNow.
- Real-time and interactive access to our team and vulnerability findings via our online Bug Bounty platform.
- Executive reporting via reports and periodic debriefs.
- Free assistance with vendor vulnerability disclosure using our experienced advisory team.
- Free retesting of findings – we will support you with our expert knowledge and keep retesting until the vulnerability has been remediated.
The world leader in CREST accreditations
We are proud to be the only organisation in the world with a full suite of accreditations from The Council of Registered Ethical Security Testers (CREST).
Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organisation to be CREST accredited for our Security Operation Centre services.
FAQs
How will we distinguish testing activity from real attacks?
Attribution is important. All our Bug Bounty traffic originates from the same IP address range, which we share with you in advance. By doing this, you can be confident that our testing activity is us and not a real threat actor.
Should we allowlist your IP address range on our security controls?
We do not recommend allowlisting us in any way. Bug bounties are best designed to test your organisation’s security posture exactly as it is presented to the outside world. Therefore, unlike a time-bound penetration test where the objective is usually to find as many vulnerabilities within that time window as possible, allowlisting does not necessarily make as much sense for a bug bounty.
Where is Bug Bounty data stored?
All data is stored on our Bug Bounty platform, hosted in AWS. We handle that data in line with our strict data handling and retention policies that form part of our ISO 27001 certification.
How do we ensure you’re focussing on the areas that matter to us the most?
We allow you to create custom rules of engagement for each Bug Bounty program. For example, you can define the scope we test, the vulnerability types we submit, and where we spend most of our time. We provide default rules of engagement that work well for most clients, which you’re free to modify.
We have production systems in scope. How do you manage the risk of service impact?
We follow a non-disruptive and non-destructive bug-hunting methodology. All testing is carried out by team members who are experienced in safely testing high-importance and production systems. While no testing activity is entirely risk-free, we are very experienced at avoiding disruption, and our incident rate is extremely low.
How do you rate the severity of each vulnerability?
We use the Common Vulnerability Scoring System (CVVS) v3 for scoring vulnerabilities. CVSS v3 specifies severity ranges, e.g. a score of 9.0 – 10 is critical, 7.0 – 8.9 is high, and so on. We provide the CVSS vector string as well as the score so that it is clear how the score was determined.
What is the price of the service?
Each vulnerability is assigned a CVSS v3 score and severity. We price based on severity; a critical vulnerability is priced higher than a low-severity vulnerability. We will recommend a pricing model to you, based on the target systems and their perceived security posture. Each program has a maximum total payout to ensure confident budgeting. We charge a low management fee compared to other providers, so you are primarily paying for vulnerabilities.
How will I be notified of a new vulnerability?
Our Bug Bounty service runs on an online platform that provides you with several granular notification options. Currently, we offer in-platform notifications, emails, and SMS. So, for example, you may decide that a critical severity vulnerability notification should be sent via a text message and email, while a medium severity vulnerability notification should be sent via email only.
Do I have to use your platform to interact with the service?
Our platform presents an API that provides all the functionality that our core Bug Bounty web application provides. This means that you can integrate any software with our platform and have the web application take a back seat. We also provide several wizards for quick and easy integration with common ticketing software such as ServiceNow and Jira.
What happens if you find a new vulnerability in third-party software?
We regularly uncover previously unknown vulnerabilities affecting third-party software. Our coordinated disclosure team has a wealth of experience working with software suppliers to expedite the production of a patch.
What if I have follow-up questions about a finding?
Each vulnerability that we discover is written up clearly and concisely. We strive to demonstrate impact, ensure reproducibility, and provide detailed remediation guidance. If you need to talk to us about a finding, you can do that directly through our platform. We will not stop until you have all the information and understanding that you need.
During which time of the day do you test?
Our default rules of engagement permit 24/7 testing. We recommend keeping the window as open as possible. Our team often works on the Bug Bounty platform outside of the core business hours, and some of their best findings come outside of normal working hours. Our default rules of engagement prohibit widescale vulnerability scanning and any other activity that has a higher likelihood of causing a negative impact. The findings of a Bug Bounty tend to be manual, because of slow and deliberate assessment over a long period. Of course, you are welcome to establish any rules of engagement you would like, and this includes permitted testing hours. Likewise, you can pause a bounty at any point, e.g. during a change freeze.
Providing Security Testing to a leading UK financial investment company
This client had previously experienced a high number of vulnerabilities, from which LRQA was able to help. The services implemented provided the client with a proactive and threat-led approach; informed by our offensive and threat intelligence teams to protect against the latest industry threats.
View case study