Every day automated scripts and hackers probe your internet-facing applications for security holes. In the last years, a lot of commercial companies and not-for-profit organizations have sought ways to engage with the community to let them find bugs and other security vulnerabilities. In return for financial rewards or other benefits, individuals participate in so-called Bug Bounty programs. A Bug Bounty program is set up to bring the security of your applications to the next level. Easier said than done, you need to carefully consider the pros and cons for your organization before you start. Great guidelines for successful Bug Bounty programs.
Comparison with Pen testers
Don’t confuse a Bug Bounty program with your (internal) Red team which conducts pen tests. It’s also not an extension to that team. Simply said, they can never replace Pen testing efforts. Since Pen testing teams will have access to your environment (in some way or the other) they always have a report with some outcome to show. This does not apply to individuals participating in your Bug Bounty programs.
More value for money
Perhaps the most interesting benefit of running a bug bounty program as well as hiring Pen testers is that the Pen testing company in charge might feel the competition from the ones participating in the Bug Bounty program. Perhaps you even get better value for your money from the party who conducts the Pen tests. Feeling pressed by a sheer unlimited amount of participants they might seek harder for difficult-to-find security bugs. And they might skip reporting on low-hanging fruit which is easily discovered by the Bug Bounty participants. This is especially true if the findings of the Bug Bounty program are shown online. For sure, Pen testers won’t come back to you with no results at all since there will be a big chance that you won’t ask them again.
Instead, Pen testing companies might add more senior security experts or add other services to the table to make sure they still add value to you over the results of the Bug Bounty program.
Challenges and potential drawbacks
One of the most important aspects of running a Bug Bounty program is that you need to be “always on”. Expect a large number of submissions in the first weeks after the program has started. Also, be prepared to receive a lot of duplicate submissions. A large number of them might be false positives or just low-hanging fruit that you already discovered yourself. Whatever you receive from your participants, you need to draw a response to all of them. But only after careful investigation, follow-up, and communication.
To outsource or not?
All of this can be handled by a partner to which you outsource the Bug Bounty program. It leads to a changed perception of how your company thinks about security. Essentially, they might think that you don’t take security seriously since your name is not attached anymore to the Bug Bounty program itself. Perhaps people are less likely to trust your organization, so it can hurt your corporate image.
Furthermore, it can also lead to bad PR. Not every participant will appreciate how they are treated when participating. It’s easy to dissatisfy participants when they feel treated badly. This can be due to several aspects such as late pay-out, the classification of their submissions, or how (fast) you respond to them. On top of that, expect everything you do to become public sooner or later. This leaves you vulnerable to mistakes that might result in disgruntled people.
Financial Considerations
Before you launch the campaign to promote your Bug Bounty program, it’s good to consider the financial aspects. Without having these in place, there is no reason to start at all.
Rewards
Contributors demand some kind of reward for their efforts. It is their investment in terms of time and energy which should be rewarded. Serious organizations offer hard cash instead of t-shirts, stickers, or other merchandise-like products. Being open and clear helps to set the right expectations. You should understand that some people hunt bugs for a living. Others are encouraged to earn a place on the “wall of fame”.
Successful Bug Bounty programs aim to attract contributors which already submitted security bugs in the past to build a trusted relationship with them. By doing so, they also increase the amount of cash to be paid. Besides, the harder a bug is found, the reward is bigger.
Pay on time
Needless to say, you should pay your submitters well in time so they continue to take your program seriously. Nothing is more frustrating than having to disappoint your valued contributors. People want to know what to expect: when will they get paid, in which currency, and under which conditions? Also, think about local taxes and other hidden costs that might be deducted afterward. It should not be a surprise for your submitters that they will earn less than expected. Be transparent over these topics.
Therefore, you need to think about various payment options and variants in advance. Not everyone lives in a country that can accept PayPal payments or credit cards. Some of these obstacles can be tackled by utilizing specialized third-party services that take care of them.
Increased costs
As more and more companies tend to organize Bug Bounty programs, there is more competition. You need to make sure that your program remains attractive to a wide audience. This might mean you are required to increase the (financial) rewards to stay relevant.
It’s also very likely that only the first period will result in the best submissions and that the success of your program will fade out later on. This can be because the lower-hanging fruit is found first and “hard to find bugs” takes more time and effort. Keep in mind that judging complex bugs and/or security issues will take more time to process, thus also resulting in higher costs.
Setting things up
When you’ve decided to run your program, at least the following aspects are needed to set things up:
- Define the applications which are in scope and out of scope.
- Select the type of vulnerabilities which can result in a reward and which are not.
- Clearly describe what is not allowed (for example executing malicious code on production-grade systems or executing DDOS attacks).
- How people should send their contributions and which structure to use when they send them to you.
- Any legal or compliance-related rule that applies within the country of origin that affects the contributors worldwide.
Besides these items, it’s also crucial to build a team of professionals who participate in the program. This should be a mixed team consisting of security experts, application (domain) experts as well as people that handle incoming submissions, payments, etc. All in all, a varied group is needed to be successful here.
Structure
Contributors will definitively be helped with a clear structure in which they can submit their findings. Don’t just offer a free format as this will result in a wide variety of submissions. It will be more difficult and time-consuming to process them and you will likely miss information. Unstructured findings are more difficult to collect, compare, and store. All of this leads to extra time, costs on your side, and extended communication with your submitters.
Sometimes people have a hard time dealing with English as the most prominent language. This makes things even more difficult. It’s easy to be misunderstood and you might miss a great finding or lose the interest of the contributor. Even worse, your submitter can be disgruntled and complain about you in public. Protect your good reputation.
Expect the unexpected
Is your application ready to accept an unknown traffic surge when you fire up your bug bounty program? Don’t be surprised to face huge traffic loads that you need to deal with. It is extremely important to build a strong relationship with your submitters. In addition to that, first impressions count to keep people interested and to communicate that you’re taking things seriously. No one wants to spend time and effort on a program that fails right after the start.
Different levels
In terms of what to expect from your submitters: expect the unexpected. Some submissions are brilliant, some are plain simple and others you should just ignore. There are always folks who do not want to spend time and energy on your program: they just want your reward.
Once a new vulnerability is found, expect a large community to probe all websites that are likely to be vulnerable. Therefore, you might encounter lots of duplicate submissions. It is best to know upfront how to deal with those. First come first serve? And should you prove this once you hand out the reward? Questions that demand clarity up-front.
Inspiration
For those professionals that seek more inspiration, the following websites can help here:
- A great list of Bug Bounty programs and websites was published at the end of December 2023.
- Bug bounty programs from Microsoft as well as Google. Both offer a specific way to get you off the ground very quickly.
-
Trustradius also offers a very complete list of their best bug country platforms which includes HackerOne, Bugcrowd, and Bugbounter.
-
If you seek practical examples, be sure to check out the website of HackerOne which elaborates on this topic.
The above-mentioned list of items should be sufficient to get enough information to make a decision: start or not.
Conclusion
Bug Bounty programs offer a great way to let the community find vulnerabilities in your precious applications. You need to think about different aspects well in advance to make it a success. This includes the structure of submissions, the rewards, the generic rules and guidelines as well as having a team ready to deal with the responses. Most Bug Bounty programs yield high traffic loads at the beginning of the program. Expect the unexpected but also be ready for it to handle it swiftly.
Bug bounty programs are no replacement for PEN testing activities, but they can help to get more out of them. Last but not least, this article provided some resources to get valuable inspiration from respectful companies.