Penetration Testing of Web Applications in a Bug Bounty Program

Abstract: Web applications provide the basis for the use of the "World-Wide-Web", as people know itnowadays. These software solutions get programmed by a numerous amount of developersall over the world. For all this software, it is not possible to guarantee a 100 percent security.Therefore, it is desirable that every application should get evaluated using penetration tests.Anewformof security testing platforms is getting provided by bug bounty programs, whichencourage the community to help searching for security breaches. This work introduces thecurrently leading portal for bug bounties, called Bugcrowd Inc. In addition, web applications,which were part of the program, got tested in order to evaluate their security level.A comparison is made with given statistics by leading penetration testing companies, showingthe average web application security level. The submission process, to send informationabout vulnerabilities, is getting evaluated. The average time it takes, to receive an answer regardinga submission is getting reviewed. In the end, the findings get retested, to evaluate, ifthe bug bounty program is a useful opportunity to increase security and if website operatorstake submissions serious by patching the software flaws.