Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest


Georg Untersalmberger


Auctionata is the inventor of the livestream auction. Founded in 2012, the Berlin-based start-up offers all the services of a traditional auction house on a single website. With a patented state-of-the-art technology, Auctionata broadcasts its livestream auctions in real-time and HD quality to desktop and mobile devices and provides an online auction room that is accessible to bidders worldwide.

With thousands of global users and daily transactions, building a trusted and secure application is a top priority for Auctionata. Their engineering team aims to implement a strong security practice that is easy to sustain, but also fits within their budgets.

Keeping Up with the Bad Guys

As a fast-growing online businesses, Auctionata is constantly deploying new code. But, as with all deploys, these releases also introduce the possibility of new vulnerabilities and the bad guys never rest.

Georg Untersalmberger, CTO of Auctionata, and his team were scouting options for testing security on a continuous basis to patch any potential bugs.

"We were looking for a scalable and cost-effective way to gain access to skilled security researchers who could be creative and think like the bad guys."

Auctionata discovered Cobalt and decided to explore the power of crowdsourced application security and bug bounty programs.

Trial with Instant Results

To test the bug bounty program concept, Georg and his team selected a trial with this setup:

  • Private security testing with 3 vetted researchers handpicked from a crowdsourced pool of thousands
  • Pay-per-bug: Auctionata would reward valid reports $50-$1000+
  • Scope: Public accessible parts of
  • Deadline of one week
  • A fixed budget

The trial brought impressive results and Auctionata rewarded 10 findings reported in the trial.

"Our internal team had done extensive security testing on the application. But the creativity of the three security researchers was fantastic, and they were able to give us highly valuable feedback."

- Georg Untersalmberger

Continuing with Fresh Eyes Each Month

After the successful trial, Georg and Auctionata decided to continue with a private bug bounty model that includes 3-5 new handpicked researchers invited to test every month.

"We wanted to get fresh and incentivized eyes on our applications every month. Cobalt is perfect for this, as it enables us to easily access a huge pool of talent and work with them in a structured way through the Cobalt interface."

Cobalt supports Auctionata in all the aspects of the invite-only bug bounty program. From selecting the researchers to providing the tools needed for managing reports, Cobalt ensures that the program is effective without cluttering Georg’s team.


With Cobalt’s security program, Auctionata has received:

  • experienced testers on the platform monthly, without needing to hire internal resources or expensive consultants.
  • an affordable pay-per-bug security testing model.
  • contact with highly-skilled researchers from around the world.

"Cobalt has made it easy for us to work with talented security researchers and stay up-to-date on the latest vulnerability developments."