Is your company prepared to launch a program?When considering launching a program, there are a number of prerequisites that should be taken into account. First and foremost, you should start with the basics – something simple, such as advertising an email address on a disclosure page to ingest reports. On the inside, knowing where to route reports is key to resolving them. If your security team hasn’t built those crucial relationships with inside owners, you will have a tough time closing reports. Communication with researchers is also clutch. They are humans, after all, and as such, they will appreciate a thank you and acknowledgement. Additionally, in the modern days of software engineering and continuous deployment, your organization may not have a mature SDLC. However, in receiving reports, you can use this data to help mold one, provide training for weak or high volume areas, and/or spend more bandwidth in security design for elements where reports are repeated. Most importantly, make sure you have bandwidth or external resources available to validate, communicate and triage reports. More detail on guidelines can be found online via ISO 29147 and ISO 30111.
Costs: Don't shoot for the stars right awayOffering company swag might encourage some researchers. Even $20 USD goes a lot further than you might think. Start small to test the waters and increment slowly. Even as you raise payouts, you can’t guarantee you’ll have thousands of eyes looking at your project. Remember, programs are meant to complement your overall security program, not replace it. Consider using your bug bounty payouts to help narrow the focus area of an internal pen test.
Backfiring!Ensure your security team and PR team are prepared to respond should a researcher go rogue and report their findings. As part of your program initialization, regular communication with PR on higher profile reports is good practice. From experience, there are instances where having a response ahead of time would be highly valuable.
ScopingStart small, and be product specific. Throwing everything into scope, including your Bluetooth toaster, is a bad idea because it can diffuse the eyes of researchers, as well as make triage more difficult to handle inside if bandwidth is limited. Other complications include being flooded with duplicated reports in each area of the project's scope. As submissions quiet down and payouts become more reasonable, broadening the program becomes less of a headache and far more manageable.
Choosing the right bug bounty platformIn more mature environments, running your own program and platform is feasible. There are also a number of SaaS platforms on the market in addition to open source platforms like Bugzilla. Both options require in-house resources to maintain the operational aspects. Specifically, there are three major SaaS platforms I can speak to with regards to their merits and their main differentiating points. All three offer a web portal where you can ingest, respond to, and pay out researchers. With the exception of one, they also offer SAML integration, the modern (and preferred) way to authenticate and authorize users for the platform.
BugcrowdBugcrowd offers a few features that set it apart from the others. These include the following:
- Sandboxed testing: Using proprietary VPN technology, Bugcrowd's programs allow researchers to view specific program content through their portal. This, in turn, generates more specific control over the what a researcher can and can't access in the program.
- Flex programs: These types of bounties are typically of shorter duration with a capped expenditure, which means you can limit your costs associated with scope content and thereby rival traditional outsourced pen tests.
- Managed platform: In resource-constrained environments, you may wish to outsource parts of your program. With this product, your program reports are directly triaged by Bugcrowd analysts.
HackerOneHere are the features offered by HackerOne:
- Hackbot machine learning: This unique HackerOne-only feature offers automated de-duplication of reports and can even associate bugs to existing publically known reports to facilitate closure. Think Clippy, but far more resourceful and infinitely less annoying.
- Hands on program development: In addition to hosting a platform to manage your program, HackerOne also offers training of staff and will help you develop your program from scratch. This is a huge benefit to those wanting white glove treatment. (Additionally, if you’re resource strapped, HackerOne can set you up with a third party consultant such as NCC Group or Bishop Fox to assist in program management.)
SynackFinally, Synack has the following features to offer:
- More traditional pen testing with a private crowd: Synack puts a lot of emphasis on background checking and the quality of their researchers. They vet and check before allowing them into the Synack Red Team. This is a great option for those with requirements on researchers' identities and more stringent confidentiality agreements between a group of researchers within a legal framework.
- Synack caters more to the enterprise based on these frameworks. Like HackerOne, Synack also offers high touch features, including the ability to have an expert provide debriefs on severely exploitable vulnerabilities.
- Subscription model: Similar to Bugcrowd's Flex program, Synack can run a program for items in scope at a flat rate. This allows for easily integrating costs into running an overall program.
ConclusionWith all of this in mind, it is important that we remember how crucial it is that we be prepared to take in and respond to reporters. Without this simple process, all you’ve created is a no-reply email for researchers. If you manage to perform due diligence prior to a launch, you’ll find it not only efficient in resourcing but also an effective tool in your overall security program.