Try out our new FREE Youtube Summarizer!

Webinar Overview

Bugcrowd Demo Webinar

Estimated read time: 1:20

    AI is evolving every day. Don't fall behind.

    Join 50,000+ readers learning how to use AI in just 5 minutes daily.

    Completely free, unsubscribe at any time.

    Summary

    Join Jeff Booth, a Trust and Security Engineer at Bugcrowd, as he walks through the intricacies of Bugcrowd's award-winning, fully managed crowdsourced security platform. In this detailed webinar, Jeff provides insights into both the researcher and backend customer perspectives, offering a comprehensive view of the Bugcrowd control platform. Learn about public and private programs, the vetting process for researchers, and the bounty briefs crafted with clients. Discover how Bugcrowd streamlines vulnerability reporting, triage, validation, and resolution, with additional coverage on integration capabilities and what considerations go into crafting effective vulnerability disclosure and management strategies.

      Highlights

      • Explore Bugcrowd's unique approach to crowdsourcing cybersecurity, employing top hackers to boost security efforts. 🛡️
      • Learn about the dual aspects of the Bugcrowd platform from a researcher's and a customer's point of view. 👥
      • Understand the difference between public and private programs and the rigorous vetting needed for researcher access. 🔑
      • Discover the importance of bounty briefs in setting clear scope and rules for security engagements. 📋
      • See how vulnerability submissions are processed, moving from initial report to validated issue with Bugcrowd's support. 🚦
      • Find out how Bugcrowd integrates with existing workflows and tools to streamline vulnerability management. 🔄

      Key Takeaways

      • Unleash the Power of Crowdsourcing: Bugcrowd connects businesses with elite white hat hackers for efficient vulnerability detection. 🐱‍💻
      • Comprehensive Researcher Vetting: Access to private programs is earned through participation and kudos points. 🔍
      • Detailed Bounty Briefs: Customized program briefs facilitate researcher engagement and set clear scope boundaries. 📜
      • Intensive Triaging Process: Bugcrowd validates and classifies submissions, helping streamline the resolution process. 🔧
      • Rich Integration Opportunities: Seamlessly connect Bugcrowd with other tools like JIRA and Slack for enhanced workflow automation. 🔗

      Overview

      The Bugcrowd demo webinar, hosted by Jeff Booth, unveils the comprehensive and effective strategies employed by Bugcrowd to leverage the collective expertise of elite white hat hackers. By utilizing crowdsourcing, Bugcrowd significantly accelerates the detection of vulnerabilities with reduced management overhead, allowing organizations to fortify their security posture more efficiently.

        Jeff navigates through the dual-sided platform showcasing both researcher-focused and customer-focused experiences. Researchers gain recognition and access to private programs through a vetting process, participating in both public and private engagements. Simultaneously, customers interact with a backend that helps manage vulnerabilities, generate reports, and engage with the Bugcrowd team for seamless security operations.

          With an emphasis on collaboration and customization, the discussion highlights how Bugcrowd facilitates clear communication through detailed bounty briefs, supports complex integration needs, and ensures a stringent yet supportive validation and disclosure process. The platform is designed to provide actionable insights and comprehensive management solutions for organizations looking to enhance their security frameworks.

            Bugcrowd Demo Webinar Transcription

            • 00:00 - 00:30 hi I'm Jeff booth the trust and security engineer here at bugcrowd and bugcrowd is an award-winning fully managed crowdsource security platform that connects the full owner building management lifecycle we leverage the creativity and expertise of the world's most elite white hat hackers to find more high-value vulnerabilities in less time with less overhead by providing actual contextualized intelligence and
            • 00:30 - 01:00 security workflow automation we help you not only find and fix faster but build better and so what I'll be doing today is going through the the bug crowd crowd control platform so it'll be two sides of really the same coin here one is going to be the researcher side and so their workflow in terms of what they see in terms of the Batmen brief and their submission process as well as the the backend which our customers use in their day-to-day and interacting with bugcrowd feeling the vulnerabilities generate reports and stuff like that so let's go
            • 01:00 - 01:30 ahead and jump right into it so first off I'm going to bring up here bug routes of public programs lists so these are companies that are running public programs here with background and if for those that are not aware bug Club does actually run a couple different flavors of programs so mainly that it's going to be public programs as well as private programs so public programs pretty self-explanatory these are the companies again running public programs with us anybody in the world can sign up as a researcher and begin testing and
            • 01:30 - 02:00 finding vulnerabilities on these public programs now opposite of that is private programs so private programs no one really knows that they're there except for obviously bugcrowd the company that's running it and the researchers that bugcrowd is specifically in fighting or picking to be invited in participating in those private programs and so the way that researchers are actually able to become invited into into these private programs and the eligible for them is through our vetting process so researchers as we're looking at right now they do need to
            • 02:00 - 02:30 participate in the public programs and find vulnerabilities within these public programs they can be duplicates but come on the point is researchers will earn what we call kudos points on the platform in order to essentially upload all their own accounts that their researcher accounts here with us to get to reach a certain threshold in order to be able to become eligible for the private crowd to be able to get those private invites so what I'm gonna do here is click on one of the public
            • 02:30 - 03:00 programs have this be envisions program and what we are looking at here is something that we call the bounty brief or the program details and so this does list out a number of things on the program so this is essentially the messaging that goes out to all the researchers what they're going to be looking at the rules and engagement and this is actually something that Bob kata is going to draft up with this company so we did this for envision but we draft this up for them right so what happens is we get on what we call an onboarding call prior to the program launching and
            • 03:00 - 03:30 we go through a number of questions that we have for each customer to make sure that we understand what each and every customer is looking for so if like saying envision is has these specific targets we want to understand a little bit more about those targets what exactly do they care about are they looking for specific vulnerabilities do they not care about certain other ones what is a value to them so what are they gonna be paying so we want to understand all that to build a craft and draft off this program brief for them so they can essentially approve it and not really have to rely on their own efforts to be
            • 03:30 - 04:00 able to bring this up from scratch so excuse me so what's on via the program brief here are obviously going to be the list of targets what can the researchers actually be testing what's within scope what's out of scope doesn't necessarily have to be a specific like what target can be really anything that you want the researchers to be testing as opposed to like say something that you don't want to be doing which would be out of scope right so things that can be listed here obviously websites API is another common
            • 04:00 - 04:30 one mobile applications hardware devices IOT obviously networking devices or IP ranges so pretty much anything that that you want the research is a test now that's a piece of hardware I would do probably want to ship those out to the researchers so it might be a limitation on how many of those pieces of hardware can actually get out to those researchers or maybe set up and some sort of environment where the researchers could connect to you modeling so other things they're going to be in here are if you are setting up some sort of environment how the researchers connect to that how do they
            • 04:30 - 05:00 access it credentials how do they how do they prepare those unquote those credentials I do they self sign up we're gonna be providing that to them how do they get those focus areas again is there any part of the application or targets that each customer that you really care about you want them to focus on a specific area because maybe it wasn't tested before or maybe there's just a really big update to the application that your developers put out new features and you want the researchers to focus on those areas again anything that's out of scope really anything that you don't want them
            • 05:00 - 05:30 to be doing and we do have a couple of one ability categories that are in our that are in our disclosure agreement other the researchers sign when they become researcher and when they participate some of those things are like like network denial of service form abilities right so that's one of them but again this can really be anything that you want or you get as more specific that you do not want them to be doing so it doesn't necessarily have to be a whole Nura building could be like maybe a tool or just a certain part of the application they look like a touch
            • 05:30 - 06:00 couple other things like certain vulnerabilities that you might care specifically about something that's not listed in this particular program is the reward range should we just go over to more ranges are something that the researchers would look to to be able to understand how much they could be getting paid approximately for what they will look they will be finding so the warm ranges are based off of the
            • 06:00 - 06:30 technical severity so we actually rank vulnerabilities from p1 all the way down to p5 vast majority of our customers only pay out on the p4 isn't up and this is based off of our vulnerability rating taxonomy and so this is really a very large list of vulnerability categories subcategories specific variants and assigns a technical severity to them so everything in here is actually customizable so if for instance envision or mailgun doesn't care about or cares a little bit less like say about excellent
            • 06:30 - 07:00 external in any injection they don't think that's a p1 or they don't want to pay out on the p1 they can or I should say bugcrowd and that company will be able to put that into the bounty brief so the researcher when they're looking at they'll see that all right external injection is going to be ap2 not a p1 so they'll know a parsec at which they'll compete for that one everything's great customizable it does go through this very large list of vulnerabilities really if there's anything that you disagree with again we can put that into the penny brief so that I get expectations can be set I didn't want to mention one thing here on
            • 07:00 - 07:30 the list is we do list everything from P 1 through P 5 now if you remember back on the bounty brief here it does only list P fours it has a small note right here P five submissions do not receive any rewards for this program so once more customers are not paying out on the P 5 and that's purely that's primarily because most of these are things that maybe a lot of a lot of folks don't really care too much about or considered to be security vulnerabilities a lot of these things are found with like your automated scanners tools and stuff of that nature so it's like it very easily
            • 07:30 - 08:00 found stuff low hanging fruit so why pay off or something that the company already knows about or just very easily found so just a simple and the one other thing they want to mention that is on every single bounty brief is all the way at the bottom here we do see the VRT down there but the other one is this program follows bugcrowd standard disclosure term so our standards closure terms are actually non-disclosure so the researchers when they are study upon our platform getting an invite to these private programs or participating the
            • 08:00 - 08:30 public programs as well and every time they are viewing this and they submit a vulnerability they have to agree to our standard disclosure terms which is actually non-disclosure so research they are not allowed to talk about anything that's here list only brief the company that's running at the targets and of course certainly not via the vulnerabilities that they're finding submitting as well the exclusion to that or a cyclin I should say is if if the company gives them expulsion explicit written permission to go ahead and disclose that so typically that will come after the company is fixed but
            • 08:30 - 09:00 again we do encourage disclosure if both parties agree and force them to mutually agreeable manner so typically what happens is the research will ask to kind of like read a blog post or an article about it and pass it to that company just to build a review at protecting the information if necessary and then once both parties agree so that's that's pretty much for the bounty brief side so if I as a researcher in taking a look at this program if it was a private program last or from just taking a look at this public program I start to test and I
            • 09:00 - 09:30 find a vulnerability or rather I think I found a vulnerability I'll come and submit the report and so I'll be greeted with this page here this is our submission form so what this is is it's a lot of structure for the researchers also helps us here but cut out as well as our customers to be able to understand exactly what is the researchers found so you have a couple different fields here so target obviously where do they find it technical severity they're not picking the the severity itself because obviously that does directly relate to
            • 09:30 - 10:00 how much they can be getting paid but they do select the the category what's relevant to what they found so in this case I'll select Moken execution I correlates to have q1 for ability a vulnerability tails a specific file path our location of the vulnerability and probably the most important part here is description so what exactly did they find like what is this vulnerability I want to see impact if this were to be fully exploited and how do you reproduce this for mobility what are those replication steps I would want to be able to see that so that our team here
            • 10:00 - 10:30 at Bunco we can do the trio validation on this submission as well as our customers for all of you to be able to understand what it is that they found how to reproduce it and how to go back and like explain to the developers if or if they're looking at what it is that this is as a security flaw rebuilding what is they need to fix a couple of optional fields here if it's I say like a web vulnerability we want to seem like what that post body is if it's a post request another optional field attachments some researchers love to you
            • 10:30 - 11:00 attach screenshots or video files some of them walking through the other vulnerability if there's a like quartz rip or something they have the ability to touch it up there - and then once again all the way the bottom here is this checkbox saying the researcher is again agreeing to everything that's in the program brief which includes the disclosure terms as well as both standard counts of conditions as well so once they fill on everything and then click on the report vulnerabilities on it'll pop over into the at the back end so kind of good switch pages here so
            • 11:00 - 11:30 what we're looking at here it's kind of like that overview of what we call crawl control or the backend platform and program owners for each customer will have an overview page so if you are running multiple different programs maybe you have your private ongoing bounty program and maybe have a separate formula disclosure program you have a way to essentially manage this as an organization owner or a program owner kind of you so you'd be able to manage all of them without having to lock into
            • 11:30 - 12:00 separate accounts for each one so it's all components Ordinaries from one view so let's go ahead and take a look at the umbrella corporation on the back end here this is just a demo program but what we're looking at here is yeah the summary page this kind of gives a brief history of recent activity of anything's going on the program itself so I mean those commissions but we were going to be more concerned with here are going to be the different submission queues or buckets so when a brand-new submission gets first submitted by a researcher it does drop into what we call the
            • 12:00 - 12:30 processing queue and this is the queue that our engineers work off our application security engineers get notified of anything here in the processing queue and so what we are actually doing here is when we get notified of a vulnerability we do need to come in and triage and validate and so we'll come in and take a look and see what the researcher actually submitted so it's a blur the brief description on this one let's take a look at another one here so if this one is a cross-site scripting vulnerability there's some information in here and looks like
            • 12:30 - 13:00 although the researcher had posted was a URL right and sometimes that's enough information and sometimes it's not so what we'll take this we'll do is we'll take a look at this will actually go to that URL and try to see if we can find out like where this Marquis is actually showing up in the page that this link to so we can find it and it looks like it's injected it looks like a valid cross-site scripting vulnerability then we can triage it as a load vulnerability and passed on to our customers or our customer I should say but if we go to this page and looks like nothing happens right and we try to figure out traing
            • 13:00 - 13:30 click around doesn't it looks like it should probably just fire automatically but it doesn't so what we need to do there at that point is we jumped on the researcher for more information so we're going to take care of that we're going to have those conversations with the researchers so let's go down a little bit past D on the bulk of the vulnerability R we do have the ability in the platform to be able to converse with the researcher and so do our customers so you have the ability to talk to them well completely optional we do encourage and again it's completely optional you can completely leave a to bugcrowd to be able to talk to the researcher so we'll just ask them a please provide
            • 13:30 - 14:00 more information and so when we do that there's an the researcher will get a notification to be able to log back in the platform and provide some more information to this particular submission otherwise vodka will not build it properly tree logic so before we mark something as say not reproducible or false positive we want to get that information from the researcher force or at least make a couple of tends to get that information from so we'll post that in post that message and then what we have in here in
            • 14:00 - 14:30 the platform it's called blockers as well so if you ever is looking at the processing queue and seeing like maybe there's something that's been sitting there a while probably a valid reason for that so we're actually on this one we are waiting for the researcher provide one information so you'll see a little red exclamation mark here and a little blocker saying that the X what explaining the reason as to why this is just sitting it's a little bit so we are waiting for the research provide more information but let's go to a different vulnerability and supposing this one ability is a real valid vulnerability and we'll take a look this obviously try
            • 14:30 - 15:00 and reproduce it and once we can we can consider to be valid so we'll actually come up here and move things along so it's in the new state of initially and then once we fully triage they'll go into the triage state and that's when our customers will get notified of any vulnerabilities that the bug car team has fully charged now there are a couple other states as well so there's anything out of scope so if we remember back on the bounty brief there are things are listed as in scope versus out of scope so we can mark things out of scope not
            • 15:00 - 15:30 reproducible again like we mentioned before we want to go back to the researcher I talked to them before we can before we actually mark something is not reproducible and then we have a couple other categories here so won't fix maybe it's something that you as a customer just they don't you don't really care about maybe it's just something that I development team or you are willing to take on that security risk if it's a security vulnerability so we have a category for that not applicable is kind of our catch-all for everything else duplicates we do more things as the people get so the way that the bounty model works is you only the only now
            • 15:30 - 16:00 from the first person who finds it and that's actually regardless of whether was found by another researcher as part of the bug bounty program or if it was found via some other means of testing maybe you've got you own like scanners or internal tools that you're using or internal employees are using so we do have an own issues importer I can show you that in settings with just a moment here but we can import those issues they're not visible to researchers normally only if you want them to be but those are strictly for the use of our application
            • 16:00 - 16:30 security engineers to be able to use a checklist for duplicates so that way you don't have to pay out for something that you already know about but supposing this is a valid vulnerability we'll go ahead and mark it as triaged and so that's when it notifies our customers are you our customer to to come and take a look at this so it drops into the to review bucket and so we see this that's when you gotta get the notification and so really the only action that any of our customers really need to take within the platform itself is accepting this is a valid one early so this gets passed to
            • 16:30 - 17:00 you and you take a look at it and something that needs to be fixed I'm so kind of briefly looking over it alright trusting bugcrowd as a malleable ability or maybe you reproduce it yourself as well so you would move it from the triage state to the can resolve saving and your accepting this as something that's valid that you're going to pay out on you can see here and this screen is that research is going to get five to forty points based on the priority this corner building based on offensive duplicate or not but your market as unresolved so once you hit unresolved it
            • 17:00 - 17:30 brings up this screen right here so that ad reward screen so this is actually the final control over how much do we should get to paid out so our customers your customers do have the ability to confirm the severity level so that's the approximate reward range of course the final reward amount goes out to W searchers as well and so we'll enter in the recommend amount which is in the parentheses right there and if we remember again back to the battle brief there are we're interested that we do set up prime for program launching again that's something that we will discuss with you prior to the program with our
            • 17:30 - 18:00 Solutions Architect giraffe's up to the debrief so that again everybody can agree on approximately how much the researchers are going to get paid for those vulnerabilities so we'll enter in the the recommended amount and you can have the option to to give a little note to the researcher I think or something but if we enter in a lower amount I just see that there is enough that comes up saying hey it's a little lower than normal I can just please explain to the researcher why I pay on that alone maybe it's something there's the mitigating control but you still want to
            • 18:00 - 18:30 reward them for it or some other reason right so all we ask is that just let our simple reason or note and then you can leave it to the buck hard TTL explain it further to the researcher so let's go ahead and Ward this one at the $300 level don't pay it out until you see again it does get marked as I into the unresolved state and again you have final control of that priority as well as the total dollar and so that drops over into the to fix bucket we do have a couple other buckets as well so we do have to get the fix to resolve
            • 18:30 - 19:00 vulnerabilities you can also view the duplicates see anything that we've marked as like not applicable or not reproducible we are fully transparent so our customers default bucket is going to be to reduce things so anything that we have triaged but if you again if you want to take a look at it and see what's what's going on the process to you what we're working on I won't we're triaging are you more than welcome to again we're fully transparent with that a couple other things to note here in the platform are going to be or I should say right on the submission itself so everything that the researcher did enter
            • 19:00 - 19:30 in on the submission form is going to be in here and then a little bit further down below that is a couple of things that our options or toggles at hand platform so rumination in by some reference links so we do provide some remediation advice for our customers and this is a little more geared towards those those developers that might not have security in the minor as their focus when they're actually developing features so it can actually help out those developers and being able but understand a little bit more about this particular security vulnerability and it does change based on the category so
            • 19:30 - 20:00 again we do provide that remediation advice right here directly the platform and we also have some great reference links as well these go on to things like the OAuth top 10 and if there's a like say a CV or CW ESO so with the particular vulnerability link you to that as well and of course something we already covered is if there's any conversations happening with the researcher all you be able to scroll down and see that as well on to the the other pages of the platforms really quick here researchers idea be able to see who's actually participating in a program able
            • 20:00 - 20:30 to see those usernames if there is a blue link that means the researcher does have their profile enabled as public so you can click on that and scalable future are a little bit more on their statistics the percentage right here is the percentage of their accuracy rate across all the programs that that particular researcher is participating in and you do have the ability and we have the ability I should say is that to be able to can restrict the the researchers based on a couple of factors
            • 20:30 - 21:00 so maybe you only want researchers that are only good at like maybe sequel injection or if you only want researchers from a specific territory the United States or just a specific country in general we do have the ability to to kind of restrict who we invite into each particular program and I kind of building on top of that that's something I didn't really get into is part of the private crown we do have a couple other tiers so to speak of the researchers so once they are eligible for the private program then they're able to in the profile a request to be ID verified then we will I will verify
            • 21:00 - 21:30 with the sort of called Jimmy oh they're a government-issued ID to make sure that they actually a real person someone out there in the real world and then even further beyond that we have background check researchers as well then we can always discuss a little bit further on exactly how we do great or I should say vet the researchers to get into the private crowd as well as who we invite to be background as well rewards and insight stamps these are give you great metrics and analytics into the platform
            • 21:30 - 22:00 and this is actually something that one of our account managers who you will be assigned to or I should say who will be assigned to you for your particular programs or your account that will be monitoring the bug panic program and how the health of your program was actually going so we're taking a look at all these statistics and then again they're right here in the platform as well for you guys to build a view but what some of the things that are in here that we're looking at is the the number of the submissions are coming in right so so kind of the way that we take the management approach for running bug
            • 22:00 - 22:30 bounty programs is I would call to crawl walk run approach so it's always easier to expand and grow the program rather than shrink it so what kind of start you off a little slow invite a lower number of researchers and say anybody it's dissipating the public program or even a private program that's been running for a couple of years its ability to kind of make sure that you kind of are used to the processes of the habits of running up actual bug bounty programs so making sure the development your development teams are able to handle the incoming load of any of these missions they're
            • 22:30 - 23:00 coming in the hello mobility are coming in and be able to fix them in a timely manner as well as being able to interact code and potentially our researchers as well and so we do get you used to that first before expanding the program to be able to say like maybe we add more scope layer on Cyclops when researchers add more researchers in maybe we'll even increase the rewards based on like the total number of submissions that are coming it just again this is something that bug cut is going to be monitoring making these recommendations and suggestions to you as per customer so
            • 23:00 - 23:30 what I can look at all these statistics to build and make sure that we understand it and again these are there for for your team as well to be able understand how things are going ignore it so break things down by based on my target so what application it was the severity of the vulnerability or the vulnerability ring tech sounding category so how many vulnerabilities are falling into each one maybe it gives you a little bit more insight into what maybe your development teams need a little bit more training so if we see a lot of injection vulnerabilities maybe maybe it's time to slip some of security
            • 23:30 - 24:00 trainings for them on how to code all will be better to be able to prevent those types of vulnerabilities from in the first place performance over time these are the great metrics that you can use to take a look and see how long it's taking you guys to accept the vulnerabilities at the fix the vulnerabilities if you are marking this resolved in the platform as well as how long it's taking us to build a triage for mobility as well now this is a demo program so we do have a lot of these submissions kind of just sitting in the like the triage block up a little bit but typically these will be a lot lot lower but we do have we do have a
            • 24:00 - 24:30 standing here and how long it takes us to triage the vulnerability mean how long it takes us to go from the brand-new submission state and fully validating the vulnerability moving to another state this does include the time that we are waiting for the researchers so sometimes this will inflated but again typically they'll be under one day for the days in triage spend obviously how much are you guys paying out for each of these each of these vulnerabilities and toll amounts for the the targets as well so it breaks it down wards tab breaks it down a
            • 24:30 - 25:00 little bit further in terms of how much are getting paid out to and then one other thing they want to mention here is before I continue into the settings go back to the inside real quick they want to mention everything on this page is exportable to a PF report or C suite CSV file and once I have our full program report as well so you have a couple options and you can generate the report directly here in the platform if there are a couple options right here when generating the report target is in scope
            • 25:00 - 25:30 submissions index I'll show you what that looks like I'll bring up a sample report for you guys so submissions next full bar Miller details on the program or details so we'll bring the report here and this is what that looks like looks a little similar to kind of a penetration test report we also have our next generation penetration test report as well which goes a little bit further deeper in and we can get into that a little bit further but what's including this report is just kind of like the basics of typical penetration test
            • 25:30 - 26:00 report executive summary a little bit of a brief description on what a bug bounty program is how long the the program's been running for if it's a time box window I just see the dates restricted there above it's ongoing it will be a little bit of a reporting methodology obviously what was within scope so those targets those applications a couple graphs that we saw from the insights tab our vulnerability remain tech sign is in here as well so how we actually rank and rate these vulnerabilities I then here are some of
            • 26:00 - 26:30 the options as well so the findings table it just gives a high-level overview of the four new bills that were found has the title category a couple other columns here does not include the full vulnerability kills that's a little further down right here so this goes into the full description of the reproduction steps that we submitted so all this can be combined into this report are those viewable and generate a bold directly write here the platform cool and then just to kind of go over the settings just a little briefly here
            • 26:30 - 27:00 since you are or customer and this is your bug bounty program we're not going to hide anything from you so you should still have the ability to come in here and edit you don't program briefs of the message that goes up some researchers I you have fully have the ability to you're coming in edit this program scope is a list of targets as well so you can come in at that to import known issues so we did talk about this a little bit earlier but would you have the ability import issues into the platform I think and this is very helpful for our team to be able to mark things as duplicates for
            • 27:00 - 27:30 things that you already know about will also let the researcher know if they did submit something that something it does link it to it another instance right here in the platform that shows them all right this was a duplicate the only thing that they'll see is that there is a duplicate they're not gonna be able see the full content so that that original submission or the original imported an Oni issue integrations we do have a number of integrations with our with our system a couple of the ones that that most of our customers are
            • 27:30 - 28:00 using today are going to be JIRA connects with the software develop tool to build up upload those issues from our platform directly into a JIRA issue do support mobile projects you have the option to make it bi-directional so if you did want to mark thing mark something as resolved or fixed within jira it can also mark that as resolved in our platform as well but is a pretty robust integration everything can be automatically just a simple toggle once it is set up but it'll push everything from the submission directly into JIRA
            • 28:00 - 28:30 each thing or I should say each each field here in the submission itself does have its own it does get pushed into its own films here as well so we do have a film mapping to be able to make sure that that we are mapping things correctly into your custom instance of JIRA a couple the other integrations a slack we did just come out with a couple more but we do have github ServiceNow integrations Qualis is specifically the web application scanner and of course we do have our API as well so full
            • 28:30 - 29:00 documentation our API is available on Doc's book or com a couple other things credentials we do have a way to manage credentials so if you do so if the researchers do require some sort of like username password to be able to access certain areas of your application you have to ability to upload them into the crowd control platform so that we can make sure to provision them to the researchers properly managed team is for managing who on your sign is going to be invited into the platform itself and we do have
            • 29:00 - 29:30 a couple further privileged roles as well so we could talk a little bit about the organization owner force so the organization owner has complete control admin control of every program for your organization admin is for this particular program as well as the analyst which has in between the admin and viewer roles viewers the read-only role and so you do have the ability to invite however many people you want we do not have a limit on the number of seats but again this is to you guys last
            • 29:30 - 30:00 but not least here is the additional fields so if you didn't want to enter in custom fields and then also we do support CSS scoring it's not popping on by default but a simple toggle right here in the system what happens is if this is toggled on it just gives our team the notification that we do need to calculate based on D at the CBO scoring calculator to make sure that that we are talking about how correctly for you guys a remediation advice is all toggle as well so if you didn't want to see the room eh device help the developers out a little bit that's just a simple toggle here in the platform as well as
            • 30:00 - 30:30 retesting is the only add-on that we do charge for as well that pretty much sums it up for the platform I think you guys have any questions please reach out to us and we could hop on a call to be able to discuss further thank you guys appreciate the time [Music]