José Ramón Palanco, CEO of Epic Bounties, has a clear objective with the platform: to make Epic Bounties the world’s leading Spanish-speaking platform in the hotly contested market of cybersecurity bug bounty programmes.

Renowned figures in the world of cybersecurity have joined this project, such as Jaime Restrepo, founder of the DragonJAR community. Epic Bounties is committed to having the best Spanish and Latin American researchers at all times, providing services through the main partners and complying with European regulatory standards.

One of the reasons why Epic Bounties has prioritised the Spanish-speaking world is clear: there is no company like this in the Hispanic market. Even so, there is a strong demand that ends up with providers in other countries. Some companies that need this type of service may find the language barrier to be a barrier to managing hunters, speaking with the platform in the same language at all times without problems. Companies can also find as an advantage the proximity and the confidence that Epic Bounties will comply with European regulations: money laundering prevention directive, GDPR… At Epic Bounties we offer organisations the best local hunters, as well as a much closer treatment.

Here are some comments on cybersecurity and bug bounty from our CEO, José Ramón Palanco.

Main threats that can be avoided with Epic Bounties.

The most common ones detected are server misconfigurations, data exposure, access to unmaintained servers… The interesting thing about a programme like Epic Bounties is that it can find totally unexpected vulnerabilities.

Differences compared to other Bug Bounty programmes

Within the Epic Bounties business model, partners have been included as a key part of the bug bounty programme, adding value with that bet. Epic Bounties helps companies to put in place the necessary procedures so that hunters can submit vulnerabilities with the necessary legal guarantees.

What they bring to CISOSs

An advantage for CISOSs with the use of this type of software is to be able to detect vulnerabilities that have not appeared with either automatic solutions or manual audits. This is because hunters usually make customised tools for each case. Automated tools are very generic and do not fit all scenarios. Hunters can find vulnerabilities 365 days a year and the community is very large. We have also found a positive response from CISOs who have found that these programmes allow them to optimise their cybersecurity budget.

The return you get with Bug Bounty

The more “traditional” options only pay for the security bugs found. However, from a bug bounty platform, a reasonable reward is offered by defining how serious it would be to find a vulnerability in an asset. The impact of a vulnerability can cost several million but the reward is thousands of euros. In this way, the ROSI (Return on Security Investment) will be much higher than that of an audit, which in itself does not guarantee that a vulnerability will be found. Epic Bounties would like to clarify that a bug bounty programme.

Differences in the bug bounty market: Spain vs USA

There is a certain lack of knowledge about bug bounty programmes in Spanish-speaking countries, but as it becomes known, organisations have shown interest in using this tool as an added value to their cybersecurity department. All security managers are analysing existing solutions, including bug bounty. In Spain, we are at a very early stage, but we will see initiatives such as the one recently implemented by the Catalan government. The administrations are aware of the advantages offered by this new model and are working on it.