7 steps to start a bug bounty program

This can help companies get ahead of adversaries.

bug bounty program
Credit: Thinkstock
A new approach

Vulnerability assessment and identification strategies have evolved to include the concept of crowd sourced security testing through bug bounty programs. While bug bounty programs have been used for over 20 years, widespread adoption by enterprise organizations has just begun to take off within the last few. The bug bounty path, paved by tech giants, is widening, enabling security teams of all sizes to create and manage robust security assessment programs, get ahead of adversaries, and level the cybersecurity playing field. As we are clearly still in the early- to mid-adopter phase of this new market, Paul Ross, senior vice preside of marketing at Bugcrowd, breaks down how to get started with a bug bounty program, and how to prepare your organization for this new approach to vulnerability testing.

bug bounty program
Credit: Thinkstock
Establish what your program should achieve

The first step in evaluating the potential launch of a bounty program is to be clear about what you want to achieve. Is this an extension of your existing security posture to ensure you are getting the maximum inspection of your application or is it a way for you to establish and maintain your security credentials with customers, suppliers, and the security community? Do you have continuous code being released that would require an ongoing program, or a specific release or goal in mind that would dictate a short-focused engagement? This type of thinking will help you define the type of program you run.

This will also help you get alignment internally and ensure the resources are available to fund and act on the results of the program. For a crowdsourced, incentivized approach to become a part of the mix, it requires commitment, resources and investment from the business as a whole.

bug bounty program
Credit: Pexels
Leave nothing open to interpretation

The most important step to ensure a successful program scope is to clearly define it, leaving as little as possible to interpretation. A bounty’s scope informs the researchers what they can and cannot test, and points them to key targets. Getting this right ensures you not only get what you want from the program but also makes it easier to maintain a good relationship with the researchers who are putting time and effort into helping you. The best way to do this is to take a step back and objectively evaluate the scope being articulated. Document the specific targets, technologies and focus areas for testing. Also be very clear about what is not in scope - this is potentially even more important if you want to have a great experience with the research crowd.

bug bounty program
Credit: Thinkstock
Ensure visibility throughout the organization

It’s critical that the entire organization is aware of the bounty program, especially if you are doing a public program, and that relevant groups know how to respond or react to information around it. Company-wide processes will ensure the timely review and remediation of found issues, as well as prioritization guidelines over existing work. These processes may involve creating templates and workflows, or integrating with internal development tools.

 

While it’s most important that the IT folks are well informed and directed, it’s also integral that the security lead or team understands the extent to which this will impact other departments. For example, marketing or sales staff should be aware of testing on public website forms, and customer service staff should be prepared to field related questions, etc. Undoubtedly, there will be a learning process when getting started, but being aware and addressing questions prior to launch will spare more than a few headaches and some last minute scrambling.

bug bounty program
Credit: Pixabay
Set up to review and remediate incoming bug submissions

As submissions begin coming in, triaging and reviewing incoming vulnerability reports is necessary to determine if a vulnerability is valid or invalid, and what action needs to happen. Whether it is the head of security or a lead developer, the proper person/team should look at the submission and help progress toward a validation and fix.

Validating, fixing and communicating the resolution of those incidents internally and externally can be done by a designated in-house resource, or by a third-party resource. Submissions marked valid should be prioritized by how critical they are, and the proper person or team should outline the implications of vulnerabilities at hand and steps to implement fixes. Additionally, researchers should be rewarded or credited accordingly.

bug bounty program
Credit: Thinkstock
Be ready to pay researchers

If you are running a bug bounty program, you need to be ready to actually pay out the bounty. That means having the people and processes in place to respond to submissions, validate them, get them queued up to be fixed - and of course reward the submissions that meet your requirements. Doing this in a timely fashion will ensure you continue to have motivated researchers engage with your program and improve your reputation in the community.

bug bounty program
Credit: Pexels
Learn and iterate

Because code and threats change continuously, it is important to reassess program goals and scope, adjusting programs to meet targets by redistributing resources, improving rewards, or running additional programs. This continuous testing is also an excellent opportunity to learn to write better, more secure code.

bug bounty program
Credit: Thinkstock
Go private if it makes sense

Organizations looking to reap the benefits of traditional bug bounty programs, but with a specific goal or restriction in mind, may consider utilizing private bounty programs. These also can be ongoing or on-demand programs to meet specific needs. Private programs are more exclusive and typically highly incentivized, often run via a crowdsourcing platform vendor that provides researcher vetting and program management.


These types of programs often have a more specific scope or focus to encourage testing on a specific target with very specific goals.

RELATED: How (and why) to start a bug bounty program