We're excited to announce the public release of Federacy, a security testing and bug bounty platform.
1.0 focused on building out core functionality for bug bounty programs, including:
This 1.0 release is a really important milestone for us because it marks a point where we are confident enough in the usefulness of what we’ve built to share it with the world and invite you to use the platform with us.
Our platform only works if researchers can be compensated for their work, so enabling programs to award researchers was the integral feature to mark our public release. We charge awards through Stripe and pay researchers via PayPal.
Making triaging intuitive and efficient is a core goal for Federacy. We want to empower small businesses and startups to utilize external security researchers even if they can't afford a managed bug bounty program (which can exceed $10K/month).
We improved the design of the dashboard and added better filter and search controls.
Many of our users have been testing the bug bounty waters by using a private program. We use private programs at Federacy to test new releases, especially ones with significant security implications like this 1.0 release.
A primary feature necessary for private programs is the ability to invite qualified researchers. To support this, we built out a first iteration of Researcher Profiles, which encompasses background, skills, languages, programming languages, frameworks, targets, vulnerability types, and social media contact sources.
The first iteration of program stats focuses on informing researchers about the likelihood of being rewarded for their work, and we're proud to say that all of our public programs have payout ratios many times the industry average. This is a testament to how much our programs care about security and how much they value each researcher's effort. It also reflects the incredibly high signal-to-noise ratio on Federacy because of the quality of researchers and reports.
We're eager to add more metrics both for programs and researchers. And yes, we'll definitely build a leaderboard soon!
Known Issues allows companies to communicate issues that have already been reported and are in progress, determined to not be a risk, or worth fixing at the present time.
To a researcher, this indicates surface area that is out of scope, which means they won't be awarded for their research. However, without a Known Issues list, duplicate reports are rife, which hurts both sides: researchers who submit duplicate reports don't get compensated for their time, eroding trust and discouraging them from digging in further, resulting in reduced assurances for the company that their software is secure.
Consequently, we separated Known Issues from the Vulnerability Disclosure Policy and put them front and center on program pages. Our goal is to make it as simple as possible to keep this list up-to-date. Likewise, award amounts make it clear what a researcher can expect for their hard work.
- Persistent Sessions - One of the primary requests from users has been to enable sessions to persist beyond a single browser tab. Early versions of the Federacy API were built around a JWT and HTTP headers for authorization. We migrated to traditional server-side sessions using an httpOnly cookie and added now requisite CSRF protection.
- Onboarding - We've built an improved onboarding experience which guides both researchers and new programs through the process of getting set up on Federacy. For programs, this means providing integral information about scopes, award amounts, and members—with additional functionality available post-onboarding. For researchers, this means creating a profile, indicating payment address, and beginning the vetting process.
- Help Center and Documentation - We started answering frequently asked questions at https://help.federacy.com and began API and product documentation at https://github.com/federacy/documentation.
Please review our changelog for a detailed list of changes.