Tester skill and experience is varied so it's important for the project manager to properly understand your requirements. The better they can build a team to suit your needs, the better your results will be. This will require a number of test cycles and fine tuning to get it right. It also fares better with consumer applications which are designed for the "common" user. For example, if you have a niche product designed for businesses, this type of testing may not be a good fit.
Bugcrowd is great for bug bounty programs and as a cheaper alternative to a full-blown penetration test. Small to medium-sized companies who are serious about security, but don't have the budget for a $40,000 penetration test, this is a great solution. Bugcrowd isn't going to be able to do much of the white-box penetration testing (code reviews), as they are more suited for grey-box and black-box. A program like this will need at least one dedicated person to work with the moderator, verify findings, and decide on the severity of the finding.
In using MBM (Mobile Beta Management), it would be better to have the surveys be based on completion of a specific task instead of time or number of app access. This might be a little more complex to set up, but would be well worth it.
A "stakeholder management" view would be nice to allow those not normally using the tool to get a quick status of testing.
A "stakeholder management" view for MBM would be nice to allow those not normally using the tool to get a quick status of progress and user feedback.
The success of your program highly depends on the moderator that is assigned to your project. A good moderator will continue to find researchers until the quota is full. Less than stellar moderators will send out one invite and sees what sticks.
Not all researchers are as professional as one might hope. This can ruin the experience.
The one missing point is for the price - it's quite expensive to maintain the service to the extent of how we use it (dozens of test cycles and hundreds of test case hours on monthly basis). However the benefits still weights the price, especially when thinking of the price of potential hot fixes. Still, the price can be a reason to take a look on how competition is doing.
The UI and the whole app is updated on regular basis, quite often actually. There are some cool features, like integration with several other bug tracking tools, which makes the bug management really easy. However there are some key usability issues within some of the less used workflows, which brings the score down a bit. They need to work on better switching between products and better bug search, especially across purchased products.
I know the score doesn't really correspond with my earlier answers, but I have really special relationship with the Applause people. I don't really go through official support. I rather use my internal connections to make my request handled as soon as possible - and it works really well! I don't need to go through the official channels. And it's known that the unofficial ones are much more effective. I can confirm!
I didn't need to be involved at all. It was seamless from our perspective. All products were inserted in by Vendor, only Test Cycles we needed to insert ourselves initially. Now even that is handled by Vendor. The only thing we need to pay attention now is - to request cycles at the right time and review the bugs found during the test cycles. Nothing else. Very good experience!
By the time we signed the contract, there was no competition to Applause (back in time the company was called uTest). Ever since, we didn't evaluate anyone else because we built a very close relationship, which works for both sides. I think Applause is the furthest in building the test community
Budget was ultimately the reason we went with Bugcrowd initially. Bugcrowd allowed for us to come up with our own bounty scale to fit out budget. Most other companies had a fixed scale, or the scale was not as flexible as we wanted it. Traditional penetration testing companies were very expensive.
- we were able to provide good QA on an increased number of deliverables in a shorter period of time.
- great interaction with the Applause team, test leads and others
- high quality candidates added to our team
Negative
- the contract model (based on number of projects for specified monthly periods) was a little tricky for our development life cycles and left us at times wanting to engage test cycles but unable to do so while simultaneously having a project sitting idle for weeks after test cycles completed. Our business model was not a great fit for the contract model.
We have received some great results for a great price. We've also received some poor results at the same price.
Bugcrowd is not always recognized as a "real" penetration test, but for the most part, we have not had any problems with customer accepting our reports.
Overall, Bugcrowd has been an overall good experience, but we have had a poor moderator from time-to-time that has resulted in less than ideal results.
