Bugcrowd connects companies' security and dev teams to vetted and talented security researchers worldwide to run crowd-powered private and public bug bounty programs.
N/A
Tripwire IP360
Score 5.4 out of 10
N/A
IP360 from Tripwire is a vulnerability management solution; the technology was acquired with nCircle in 2013 and based on the nCircle 360 Suite product. Tripewire is a HelpSystems product line since the February 2022 acquisition.
Bugcrowd is great for bug bounty programs and as a cheaper alternative to a full-blown penetration test. Small to medium-sized companies who are serious about security, but don't have the budget for a $40,000 penetration test, this is a great solution. Bugcrowd isn't going to be able to do much of the white-box penetration testing (code reviews), as they are more suited for grey-box and black-box. A program like this will need at least one dedicated person to work with the moderator, verify findings, and decide on the severity of the finding.
I find the Tripwire IP360 reporting features extraordinary. I can run various audit and inventory reports at any point since the inception of the tool. For example, I can execute a report on the history of an asset, which establishes a baseline and can be used to support many security objectives.
Scan scheduling. This feature allows the tool to run independently without human intervention. I don’t have time to manually run scans of different departments. Therefore, I schedule all my audits and check the report the next day. This has worked brilliantly for 3 years now.
Automated update of the vulnerability rules. Automatically updating these rules and binding them to the scans preserves the tool relevancy during audits
The success of your program highly depends on the moderator that is assigned to your project. A good moderator will continue to find researchers until the quota is full. Less than stellar moderators will send out one invite and sees what sticks.
Not all researchers are as professional as one might hope. This can ruin the experience.
Budget was ultimately the reason we went with Bugcrowd initially. Bugcrowd allowed for us to come up with our own bounty scale to fit out budget. Most other companies had a fixed scale, or the scale was not as flexible as we wanted it. Traditional penetration testing companies were very expensive.
We have received some great results for a great price. We've also received some poor results at the same price.
Bugcrowd is not always recognized as a "real" penetration test, but for the most part, we have not had any problems with customer accepting our reports.
Overall, Bugcrowd has been an overall good experience, but we have had a poor moderator from time-to-time that has resulted in less than ideal results.
The biggest impact Tripwire has had in the organization is risk reduction. Since the inception of the tool our vulnerabilities have been reduced by 40%.
