Earning Or Certifying : Bug Bounties And The CISSP

Many organisations consider the Certified Information Systems Security Professional (CISSP) qualification as being essential for prospective security personnel. To maintain such certification members need to continue their professional activities and now they can do so by bug hunting.


Any legitimate bug that is found via Bugcrowd bounty hunters is eligible unless, alas, it is one that attracts a payment. But, hey, I guess you can’t have it both ways can you?

Here is the press release –

Crowdsourced security startup Bugcrowd today announced testers participating in its bug bounty programs will for the first time be able to earn professional development credits recognised by the International Information Systems Certification Consortium (ISC)2® for its CISSP® accreditation.

“To our knowledge, this is the first time security professionals have been able to build their professional qualifications while helping to identify and report security issues in a crowdsourced security community ,” said Casey Ellis, Bugcrowd’s co-founder and CEO.

“Bug bounties are used by brands such as Google, Facebook and PayPal to uncover security flaws in their systems, but bug bounties are impossible for companies without the audience reach of these large brands, because they can’t recruit the testers they need.”

In a bug bounty program, testers compete with each other to be the first to identify security flaws in a web application, the kind of issues that result in the loss of sensitive customer and business information, such as credit card details and logins.

“This announcement is another validation that our fast-growing security testing community is being recognised for rapid, high-quality, professional security work,” Ellis said.

“Bugcrowd has a novel approach to the problem of recruiting security testers,” said Wim Remes, (ISC)2® board member.

“I’m excited to see security professionals getting engaged in Bugcrowd campaigns for a wide range of customers. I’m convinced that the combination of educational opportunities for skilled professionals and Bugcrowd’s commitment to providing a high-quality and secure testing environment for their clients will yield benefits for all involved,” Remes said.

Jeremiah Grossman, founder and CTO of industry leading web security firm WhiteHat Security, said he was confident Bugcrowd could leverage CISSP® accreditation to continue growing and exciting security testers in the community.

“Just about any organisation with web-facing applications may benefit from offering a bug bounty program. Bugcrowd makes deploying such programs easy and accessible to businesses of any shape and size. The CISSP® accreditation enables Bugcrowd to reward the security testers above and beyond just money,” Grossman said.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. Hey, thanks for the writeup!

    Re the “eligible unless attracts a payment” thing: The ISC2 have a blanket rule on CPE’s – They can’t be earned doing anything that can be considered employment… hence the qualifier.

    That said, win a decent bounty and you can buy a conference ticket which can qualifies as a CPE too… It’s all works out in the end!

    Casey – CEO of Bugcrowd

Speak Your Mind