What Every Security Leaders Need to Know about Bug Bounties: When and How
By Miju Han, Director of Product Management at HackerOne
BUG bounties take advantage of the large hacker community to find vulnerabilities you don’t have the resources to find yourself. Hackers submit bugs they find and are rewarded by you based on the severity and impact of the bug.
Bug bounties bring many benefits. First, you have access to more security researchers than you could ever afford to hire. Most security teams are a fraction of the size of development teams. Bug bounties allow you to scale your security efforts much more easily than hiring.
While not a silver bullet, bug bounties are a strong addition to the security program at your company. When your goal is continuous security, bug bounties help you reach that goal by providing continuous security testing by thousands of hackers all around the world.
How to Build Toward a Bug Bounty Program
Like any large initiative, it’s best to start small with bug bounties and scale them up as you learn how to manage them and mature. There are concrete steps that’ll take you from bug bounty newbie to master in no time.
A vulnerability disclosure policy (VDP) is the first step organizations need to take before creating a bug bounty program. VDPs formalize the method of submitting vulnerabilities to a company. They typically give guidelines to hackers on what applications they can test, how to submit vulnerabilities, and how the company will handle submissions. VDPs typically include language promising not to prosecute hackers as long as they stick to the guidelines.
VDPs are essential to establish guidelines and make hackers feel comfortable submitting findings. Once a VDP is in place, you’ll need a mechanism to accept vulnerabilities. To keep things simple, use an email address for vulnerability submissions. These typically take the form of “security@<
You can experience the bug bounty world without starting a permanent program. Hacker-powered penetration tests offer the best of both worlds — the limited scope of penetration tests with the hackers and bounties you see in a traditional bug bounty program.
These 4-week engagements demonstrate the power of bug bounties while giving you complete control over what is tested. Some companies elect to hold one-day challenges to see who can find the most bugs. These options give you the chance to meet exceptional hackers who you could later invite to a private bug bounty.
A hacker-powered penetration test is also a great way to remain compliant with standards and regulations while receiving high-quality vulnerabilities at the same time.
The next step would be to develop a private bug bounty program. Private bug bounties invite a few hackers to participate in the program. These hackers submit vulnerabilities and help iron out any inefficiencies in the process while still helping your systems improve security. Start with a private bug bounty program to help your triage team get used to communicating with hackers.
Once you have submission, triage and resolution processes moving like a well-oiled machine, you can open the bug bounty up to the public. Public bug bounties have many more bug reports to work through, but can help find creative vulnerabilities other testing methods will miss. Public bug bounties maximize your exposure to skills and testing methods and provide your company with some good PR.
Bug bounties have helped many companies supplement and scale their security teams in ways they never thought possible. Take the time to evaluate your current processes and see where a bug bounty program may fit.
Share Your Knowledge
The Internet doesn’t have to be the wild west with an “everyone for themselves” attitude. It becomes safer as a whole when leaders work together to share information. If your security program develops into a world-class operation, share with others how that happened. If everyone has a world-class security team, everyone is that much safer.
Keep track of what you’ve learned and look for opportunities to share with others. Professional organizations, such as ISC2 and SANS exist to help share security knowledge. Become an instructor or contribute research reports and case studies. Conferences also present a great opportunity to share knowledge. Apply to speak at a security conference so you can share what you’ve learned in a relaxed setting to hundreds of people. If they apply what you’ve taught them, you’ve made an impact on the security industry as a whole.
Security leaders lead not only their organization but possibly others as well. Collaboration and sharing is the way to a more secure future. Take advantage of opportunities to teach and learn from others. Together, we’ll make the Internet a safer place for everyone. (HackerOne)