Bug Bounty Penetration Testing
OSI Security has offered a "Bug Bounty" style Penetration Testing service since 2011, more than 18 months prior to Bug Bounty programmes such as BugCrowd and HackerOne being founded. At the time we called it Result Based Penetration Testing because the format involved paying for security bugs found, instead of our time spent researching and identifying them (Results vs Time).
The benefit of using OSI Security compared to a Bug Bounty programme is that we have paid staff with decades of experience across different systems and aim to identify all vulnerabilities within your environment to provide security assurance, as that is our core business.
With Bounty platforms, there is no guarantee people distributed across the world will spend the time testing your network when another company has a higher reward on offer. Additionally, the bug hunters learn what pays well and what doesn't, therefore they won't even bother looking for security issues that are present and should be fixed, because it isn't worth their time to do so. Bounties also work on a first come, first paid basis, so there is an incentive to find and submit bugs quickly instead of taking the time to find complex problems.
The benefit of using OSI Security compared to a Bug Bounty programme is that we have paid staff with decades of experience across different systems and aim to identify all vulnerabilities within your environment to provide security assurance, as that is our core business.
With Bounty platforms, there is no guarantee people distributed across the world will spend the time testing your network when another company has a higher reward on offer. Additionally, the bug hunters learn what pays well and what doesn't, therefore they won't even bother looking for security issues that are present and should be fixed, because it isn't worth their time to do so. Bounties also work on a first come, first paid basis, so there is an incentive to find and submit bugs quickly instead of taking the time to find complex problems.
Why & When?
Bug Bounty style penetration tests are not always the most suitable or the most beneficial to an organisation. Typically, they are suited to Clients with an existing penetration testing team or are certain as to what issues exist "as-is" and are searching only for new issues which may be undetected. Conversely, Bug Bounties may be useful when trying to minimise costs. If you think the Bug Bounty is not for you, you may wish to consider our Monthly, Quarterly or Ad-hoc once off tailored services instead.
How it works
We charge a fee per vulnerability discovered, relevant to its class of vulnerability and the manner in which it is found. For example, a cross-site scripting vulnerability in the average website would be usually considered low risk. However, if it was found in a banking application it would be considered a high or critical risk because the vulnerability could be used to hijack accounts and steal money.
Fees
If there are no security vulnerabilities identified, we do not charge a fee. Simple.
- Low Risk Vulnerabilities: $200 per item.
- Medium Risk Vulnerabilities: $600 per item.
- High and Critical Risk Vulnerabilities: $2000 per item.
Terms and Conditions
- Limit, one (1) "Result" / "Bug Bounty" based Penetration Test per calendar year (12 months).
- If you require more frequent testing, you may wish to consider our competitively priced Monthly, Quarterly or Annual / Adhoc options.
- All item fees are billed excluding GST. Entities within Australia are required to pay 10% GST on the total price.
- Vulnerability risk, and therefore the "Fee", may change depending on risk to client - see note above.
- Any dispute in relation to the vulnerability type or risk will be mediated with a reputable third party.
- OSI Security will notify the client as-and-when a vulnerability is found, as to the nature of the vulnerability and the fee for the class of bug discovered.
- When applying for a Result based Penetration Test, OSI Security will ask the client to establish a "Maximum" amount they wish to spend.
- Assuming we find enough vulnerabilities to reach this limit, the Result based Penetration Test will end and we will contact the Client representative for further instruction.
- Upon completion of the Penetration Test / Vulnerability Audit, a Report document will be issued to the client in the form of an encrypted PDF document (or other file format as agreed).
- A bound, hard copy of the Report may be requested by the client. This service will attract an additional fee depending on the number of hardcopies requested, estimated to be between $100 and $300 ex GST.
- Any intellectual property developed by OSI Security during the Result based Penetration Test vests in OSI Security and the Client is granted a non-exclusive, perpetual license.
- OSI Security reserves the right to refuse to provide a Result based Penetration Test for any reason, including but not limited to; where the Client application appears to be fraudulent, technical resources are not available, or for any other reason.
- Penetration Testing may constitute an Offence under Australian law and local jurisdictions. A signed legal contact is required prior to commencement of the Results based Penetration Test.