Catawiki, a leading European marketplace known for its commitment to crowdsourced and offensive security, has transitioned to Bugcrowd to utilise its unified bug bounty and penetration testing platform. By selecting Bugcrowd, Catawiki eliminated the need to manage multiple engagements with various penetration testing and bug bounty providers. The results from Bugcrowd’s penetration tests have played a crucial role in shaping Catawiki’s security roadmap.
The situation
Catawiki runs Europe’s leading marketplace for special objects. It has 10 million unique visitors every month and needs strong security measures in place to ensure that auctions and online sales work seamlessly and without interference to protect its users’ trust. To secure its products and reputation, Catawiki focuses on its web platform, where the auctions are run, and its internal API.
The company and its leadership have long been believers in crowdsourced and offensive security, where the good actors probe for vulnerabilities before they become a problem. Catawiki set up pen tests and bug bounties with the goal of rooting out vulnerabilities. However, its previous bug bounties and pen tests were not delivering the results it needed, with no pen test vulnerabilities found in 2022.
The challenge
Catawiki needed a better solution. Although it had other controls in place to catch vulnerabilities earlier, it wasn’t confident that its previous providers had enough skilled ethical hackers to find the hidden vulnerabilities. Even when vulnerabilities were found, Catawiki felt they were basic and not directly impacting ones that an automated scanner could have picked up. During the tests themselves, prior pentesters weren’t very communicative, and Catawiki didn’t feel like it could focus the tests on the right areas of its product. Because of this lack of results, Catawiki found itself choosing different providers every year, burdening its security team with regular migration and onboarding work. Finally, after its last bug bounty provider found only two minor bugs and ended the bug bounty before Catawiki’s funds were even used up, the company decided to switch to Bugcrowd.
The Bugcrowd Solution
In considering its provider options, Catawiki found that Bugcrowd stood out as a leader in the crowdsourced and offensive security market. It ultimately chose Bugcrowd because it offers a well-unified bug bounty and pen testing platform – one place to do it all. Catawiki was excited by the prospect of using pen testing results to directly enhance the bug bounty program.
In the words of Aristide Bouix, the Head of Product Security at Catawiki: “The bug bounty program provides added value beyond a pen test, but if it’s run through the same platform, its value is doubled.”
By choosing Bugcrowd, Catawiki stopped having to juggle multiple engagements with different pen test and bug bounty providers, and it no longer needed to port results from one provider to another. Furthermore, it could avoid the myriad onboarding and monitoring meetings that were part of its prior security efforts. Given these considerations and obstacles, Bugcrowd made the most sense.
Catawiki started with a Bugcrowd pen test. From the start, the process was transparent and controllable, which Catawiki felt had been missing with previous providers. Pentesters communicated frequently in Slack, detailing the surfaces they were going to test along with their methodology. There were also many pentesters available, allowing Catawiki to choose the right testers for its specific surfaces.
Success snapshot
Bugcrowd’s pentesters ultimately found four P2 vulnerabilities for Catawiki, including some that affected its API, which was a high-priority surface. The pen test results directly helped Catawiki shape its security roadmap. Aristide shared: “We were able to reuse the content of this pen test report to shape our internal product security program roadmap and prioritise initiatives that go beyond the simple findings, as part of our engineering effort.”
The outcomes
After the pen test, Catawiki transitioned to running a managed bug bounty with Bugcrowd. Running both programs through one platform with Bugcrowd let Catawiki use the pen test results to catch the low-hanging fruit so that the bug bounty can yield more elusive vulnerabilities. With the bug bounty, hackers caught three times more vulnerabilities in the first two months of the engagement than the industry standard. Discovering more API bugs through the bounty also helped Catawiki develop its security roadmap even more effectively. In contrast to previous bug bounties, Bugcrowd’s bug bounty uncovered novel vulnerabilities.
“These vulnerabilities had not been identified in previous pen tests or responsible disclosures until they were discovered through Bugcrowd,” Aristide said.
With new critical vulnerabilities found, Catawiki was able to make a security roadmap to fix its most critical issues and secure its platform and API. Reflecting on the process, Catawiki mentioned that major benefits included the breadth of expertise available on Bugcrowd, the strong communication, and the ability to run pen tests and bug bounties through the same platform. With its yearly pen test concluded, Catawiki will continue to run its bug bounty to keep ensuring its auctions and online sales are secure.
We asked Aristide Bouix, Head of Product Security, Catawiki, Netherlands, further questions to find out more.
What prompted Catawiki to shift from its previous bug bounty providers to Bugcrowd, and what specific challenges were you hoping to address with this switch?
At Catawiki, maintaining the security of our marketplace is paramount. Our previous providers faced challenges in maintaining an active community of security researchers, often needing to source participants externally. With Bugcrowd, we didn’t encounter this issue, as their established community of researchers was readily available. In fact, we worked closely with Bugcrowd to invite only vetted and trusted researchers to ensure a controlled environment, minimising any unnecessary risks or disruptions. This transition has allowed us to focus more on securing our platform and less on the logistics of the bug bounty program.
How has integrating both the pen testing and bug bounty programs on Bugcrowd’s platform helped streamline Catawiki’s security operations?
Integrating Bugcrowd’s platform for both penetration testing and bug bounty programs has streamlined security operations at Catawiki. We started with a focused pentest to identify potentially highest vulnerabilities before launching the bug bounty program. This approach had two key benefits: it allowed us to address the most significant findings upfront, reducing potential impact on bounty rewards, and it gave us a clearer understanding of our security posture, helping us refine the scope of the bug bounty program and ensure that our security initiatives aligned with the needs of Catawiki.
Can you elaborate on the critical vulnerabilities found through Bugcrowd’s platform and how they impacted Catawiki’s API security?
While I can’t go into specific details about the vulnerabilities, I can say that the findings from Bugcrowd provided valuable insights into improving the resilience of Catawiki’s APIs. These insights allowed us to strengthen our design and build a more standardised approach to API security which is crucial for maintaining the integrity and trust in our marketplace.
What role did communication play in the success of Bugcrowd’s pen tests, and how did it differ from the communication with your previous providers?
Communication has been a key factor in the success of Bugcrowd’s penetration tests for Catawiki. We used a dedicated Slack workspace to communicate directly with the pentester and program manager, enabling real-time adjustments to the scope of the test. The responsiveness of the selected researcher was excellent, and once the pentest was completed, the researcher was invited to participate in our bug bounty program to provide continuity in assessing our marketplace’s security.
How did Catawiki’s product security roadmap evolve after the Bugcrowd pen test, and what specific initiatives have been prioritised as a result?
Following Bugcrowd’s penetration test, we made key adjustments to Catawiki’s product security roadmap, particularly around fortifying our backend infrastructure. While I can’t share specific details, these insights have been crucial in shaping our long-term strategy.
Additionally, the insights and remediation strategies were integrated into our Security Champions program, allowing us to disseminate best practices across the wider technology department. This approach has helped us scale security initiatives and embed a security-first mindset more deeply into Catawiki’s product development culture.
What lessons have you learned from managing a bug bounty program, and how do you plan to leverage these insights to enhance Catawiki’s long-term security strategy?
One of the key lessons from managing Catawiki’s bug bounty program is the importance of clearly defining the scope of it – what parts of the application should or should not be tested, including specific testing methodologies like Denial of Service or components involving third-party providers. Transparency is also key in keeping researchers engaged. At Catawiki, we prioritise clear communication about the validity of reports, regardless of the reward, to maintain trust and long-term collaboration with BugCrowd’s community of researchers.
Click below to share this article
