The Bug Bounty Business: How Solution Providers Are Cashing In

Bug bounties weren’t on the radar of San Antonio-based Denim Group or its customers as recently as 18 months ago. Today, bug bounty-related services account for roughly 5 percent of Denim Group’s security revenue.

“It’s not yet a significant portion of our business, but it’s growing quickly,” said Dan Cornell, principal and CTO of the software security advisory company. “It’s something that is very interesting to us.”

Denim Group’s differentiator is fully understanding where a bug bounty program fits into the customer’s overall security strategy, Cornell said. As a result, Cornell said Denim Group can effectively determine on a customer-specific basis which security issues should be addressed through threat modeling or internal penetration testing and which should be sent out to the broader researcher community via bug bounty.

Cornell also has tasked some of his team with evaluating and providing context around the vulnerabilities being reported through HackerOne and Bugcrowd. Denim Group doesn’t have a dedicated bug bounty practice today, but Cornell said that could certainly change in the next year or two.

“Even with the stuff the bug bounty providers are doing, we’ve found that a number of organizations still need additional support on top of that in order to provide appropriate context and vetting of the reports that are coming in,” Cornell said.

About Denim Group

Denim Group is the leading secure software development firm, serving as a trusted advisor to customers on matters of software risk and security. The company builds software for the most security conscious while helping organizations assess and mitigate risk within their existing software. Denim Group's flagship ThreadFix product accelerates the process of software vulnerability remediation, reflecting the company's rich understanding of what it takes to fix application vulnerabilities faster. Denim Group has emerged as a strong contributor to the larger application security community and has actively participated in the Open Web Application Security Project (OWASP) since shortly after its inception.

Among many other awards, Denim Group has landed on the "Inc. 5000" list - which recognizes the country's 5000 fastest-growing private companies - for five years in a row. In addition, the San Antonio Business Journal named Denim Group as one of the "Best Places to Work" in the city.

###

Denim Group is a registered service mark of Denim Group, Ltd.
Other names and brands may be claimed as the property of others.