Choosing Your Hunting Ground                                                Chapter 2

            Fewer than 10% of applicants to their Red Team are accepted. And unlike the other
            programs, Synack doesn't publish a leaderboard or any sort of researcher ranking publicly
            (though they do keep internal rankings as the basis for rewards and invitations to select
            campaigns).

            Intermediaries such as Synack are great if you're looking for more of the private program-
            type of engagements you're already being invited to on Bugcrowd or HackerOne , where
            researchers receive exclusive, limited access to the target application. It's also great if you
            need a quick payout time, or want access to the professional development materials the
            company only makes available to member researchers.

            The fact that Synack keeps its researchers' identities secret is also a benefit, as d though
            adhering to the Rules of Engagement (ROE) is always important d it offers the researcher
            some protection from legal action by companies trying to discourage aggressive auditing,
            or who interpret their own RoE differently than you do.

            In general, Synack is a good option if you've already cut your teeth on bug bounty
            marketplaces where the cost to join isn't as high, and are looking to make a bigger
            commitment to security research. If you're willing and able to get passed their screening
            process, working as part of their red team will secure you less-trafficked targets, exclusive
            engagements, and quicker payouts.


            Company-Sponsored Initiatives

            Company-sponsored programs are just what they sound like. It's not just large mega-corps
            that have bounty programs d a surprising number of businesses have a process for
            rewarding security contributions. The size of each company can drastically effect the
            requirements and conditions for a reward: large companies pay top dollar for
            vulnerabilities, but the low-hanging fruit of those flaws will already have been picked;
            start-ups will have less mature applications, but probably a smaller application attack
            surface, assembled from a newer stack with fewer known vulnerabilities, and might want
            to pay for contributions in swag. Companies that are mature enough to suffer from
            technical debt, but also have a budget to pay rewards, are a nice fit. Sometimes, though,
            you'll just have to poke around in different areas, taking your chances, to find your next
            vulnerability.

            Here are some examples of the programs offered by larger companies.








                                                    [ 20 ]