Bug Bounty Program and Process

Bug Bounty

What Motivates Researchers?

• curiosity: it's the hacker mindset, people want to understand how things work, and they want to be able to manipulate it to the extent that they can get it to cause, or cause it to do things that it wasn't originally designed to do.
• cash: with bug bounties there's a cash reward in place
• social recognition: there's hall of fames, and leader boards, and all sorts of other things, which provide a testimony of the skill of an individual.

Bug Bounty Programs

• The most well-known of the crowdsourced security solutions which is build upon vulnerability disclosure programs with a competition-based testing model. And it leverages a community of white hat hackers at scale to deliver rapid vulnerability discovery across multiple attack surfaces.
• A bug bounty is a reward offered - either money or kudos - for vulnerabilities discovered within a set scope.
• Bug bounty programs utilize a pay for results model, ensuring you only pay for valid results. Through these programs, companies authorize researchers to not only identify vulnerabilities but to also provide proof of concept.
• It is protected under the terms and conditions that the researchers and company (and if using a third-party platform, that platform) have set forth.

How it works

• Engage global researchers: Incentivize a global community of security researchers from around the world to find vulnerabilities.
• Submission Triage and Validation: Triage and validate all incoming submissions to ensure an organization’s security team is focused on critical issues that present a real risk to the business.
• Submission Acceptance and Payout: Organizations review and confirm triaged submissions. At this time it is recommended to pay researchers for their findings.
• Fix Vulnerability and Verify: Integrate directly into software development to speed up the remediation process. Don’t forget to retest!

There are two types of bug bounty programs, private and public.
Private Programs: 

• Controlled testing environment with a small set of highly vetted and experienced researchers. 
• Elasticity to adjust researcher engagement and testing scope as needed.
• Ideal of targets that are not publicly accessible such as staging environments, applications that require credential access, or devices.

Public Programs

• Scale testing efforts to gain access to extensive skill set, diversity and coverage at scale.
• Heighten Security Awareness and reassure stakeholders security is a priority to your organization.
• Ideal for publicly accessible targets such as web and mobile applications or more complex targets like client-side apps and IoT devices.

Crawl, Walk, Run Approach

• Crawl: Launch private bug bounty with limited scope
• Walk: Transition to public program
• Run: Increase rewards, add targets, boost researcher engagement

Bug bounty programs can be run in both on-demand or continuous engagements.

• On-demand: A single point in time or periodic testing engagement that is best fit for an initial proof-of-concept, or as a replacement for periodic penetration tests.
• Ongoing: An ongoing testing engagement that is best fit for high-value targets or agile DevOps cultures where the application is changing continuously.

Advantages of Bug Bounty Programs

• Rapid Risk Reduction: Incentive-based testing motivates researchers to think creatively and find high-impact vulnerabilities that present the most risk to the business.
• Cost-Effective: A results-driven model ensures payment for the vulnerabilities that present a risk to the business, and not for the time or effort it took to find them.
• Lower Operation Overhead: A cloud-based, managed solution that seamlessly integrates into your existing SDLC delivering frictionless setup with zero maintenance.

Disadvantage

• Once the submissions start to come in, it’s easy to get overwhelmed. Organizations hardly have the time or resources to triage and validate incoming vulnerability findings from outside researchers. 

Staffing is a major consideration. Team with following skill-set is required

• Technical security assessment skills: must be able to reproduce complex vulnerabilities on different systems and platforms.
• Communication skills: This person is the broker between the security research community and internal engineering and development.
• Patience: The job is repetitive in nature and requires constant attention to both the researcher community and the submission process.

How to Launch a Successful Managed Bug Bounty Program

• Scoping:  know and understand your attack surface.  discuss your program goals unique to your business. Once you establish those goals, you’re ready to begin writing your bounty brief by setting your in-scope targets, focus areas, exclusions and incentive program.
• Implementing: Once your program brief has been clearly and thoughtfully articulated, spend time discussing bug bounty processes with the development team. These intake, remediation and communication processes may involve creating templates and workflows, or integrating with internal development tools. When everyone is on the same page, you’re ready to launch and promote your program.
• Receiving Bugs: As submissions start coming in, triaging is necessary to determine if a vulnerability is valid, invalid or duplicate.
• Remediating: Valid bugs must then be fed back into your development lifecycle and prioritized by criticality and in relation to existing development workload.
• Learning + Iterating: Because testing is continuous, it is important to reassess results and goals continually, adjusting your program to meet these targets by redistributing resources, improving rewards, or running additional programs. This continuous testing is also an excellent opportunity to learn to write better, more secure code.