The new year is a great time to reflect on the past year and set new goals for the year ahead. To help the Bugcrowd community achieve success in 2017, we've outlined a few New Year's resolutions for bug hunters and bug bounty program managers. Have other resolutions? We want to hear what they are! Tweet us.
For bug hunters...
1) Increase your odds
Bug hunting is all about being the first to find a bug. Sometimes skills alone aren’t enough. Preparation, consistency, perseverance and due diligence are also crucial. Here are a few tips on successful bug hunting…
- Understand the prioritization of bugs. Our Vulnerability Rating Taxonomy is a great baseline, but always read the bounty brief to get specifics and exclusions.
- Thoroughly read bounty briefs. The bounty brief is not only the rulebook, but can also be a wealth of insight–guiding you to what you should focus on, and what you should avoid within any given program.
- Many of our programs are not public but are invitation-only. Gaining access to these private programs is a great way to increase your odds of finding more valid and unique bugs. Learn more about getting invitations to private programs.
- Furthermore, some programs require ID verification. You can increase your private program invitations by getting ID verified.
2) Maximize bounty payouts
In addition to being prepared to find more vulnerabilities, there are simple ways to improve and maximize your bounty payouts...
- Write better POCs. It is incredibly important to articulate your work clearly. Use simple language, attach screenshots or video to your submission. By ensuring that your work is understood, you optimize your chances of getting paid for your work. This post by PlanetZuda is a great resource.
- On that note, continue to learn from others. We recommend all of our researchers–beginners to experts–study the methodologies of other successful bug bounty hunters. Check out this post that includes tips from top hackers.
- Here's a great post on how to fit bounties into your schedule and maximize payouts.
3) Stay up-to-date with the bug hunting community
The bug bounty space is changing rapidly with new program launches and updates weekly. We make it easy to stay up to date, but you should do you part as well.
- If you want to stay updated on specific programs, be sure to subscribe to get alerted when rewards or targets are updated. Learn more about program updates.
- Getting involved in our quarterly researcher promotions are also a great way to learn a new skill and be eligible to win some extra cash. Check out our last one focused on thick-client applications.
- Follow @Bugcrowd on Twitter and join our community IRC channel #Bugcrowd on Freenode.
For bounty program owners...
1) Get to know your researchers
As you’re running and managing your bug bounty program, keep in mind the motivations of researchers. Based on your program goals, tweak your program to incentivize different types of researchers with different skill sets…
- Learn more about the Bugcrowd community in our recent guide, Inside the Mind of a Hacker.
2) Understand your KPI's
It’s important to monitor the results of your program to improve your secure coding practices, give your executive board benchmarks, and to improve your security.
- Use our newly improved ‘Insights Dashboard’ to your advantage to understand what kinds of bugs are being reported, manage your spend, and adjust your program accordingly.
- One of the most important key performance indicators that drive consistent success to bounty programs is response time. The faster a bug hunter hears from you and receives payment, the more time they will spend on your programs, and word travels fast...
3) Level up your program
Bounty programs should never be stagnant. To achieve consistent success, meet organizational goals, and gain attention from top talent, you should constantly keep an eye on your program. This may mean increasing your reward range over time, adding new targets to your scope, or running a special campaign to illicit attention on certain applications...
- Many of our customers have done this. Check out Indeed’s story, why Jet.com increased rewards, and how Aruba has evolved their program over time.
This resolution applies not only to bug hunters and bounty program owners but all members of the InfoSec community...
We're building this community together and we all can make a positive impact.
Every day we can work together to build a more respectful, empathetic and empowering security community. Each of us has experience and expertise that we can share to better the collective whole. We all want to be respected, appreciated, and successful, and keeping this in mind is a good first step. By helping and respecting one another, we can achieve even greater success in the new year.
We wish you all a prosperous and exciting 2017!