So you want to run a bug bounty program…
First off, congratulations! You’re on the cutting-edge of security and are in good company, surrounded by giants such as Google and Facebook who've run their own programs for years, as well as other innovators like Tesla , Pinterest, and Dropbox. Chances are, if you're considering starting your own program, you've started to think about what you want to test, and even what you might offer for rewards. Stop! Before you even start taking those steps, consider step zero.
We recently put out a guide that helps organizations set up clear and thorough bounty briefs for more successful programs. We also recently spoke at BSides Austin about how to set up and run a bounty program for maximum success. One thing that has come to our attention since, is the importance of 'step zero.' Before even considering the scope or the desired goals of running a bounty program, you should ask yourself a basic question...
'Does my organization have the necessary resources and visibility to run a bounty program?'
1. You need warm bodies (or at least one)
Running a bounty program requires consistent, if not constant, attention, and to be successful it cannot be left on the back burner and then forgotten.
Our bug bounty management platform, Crowdcontrol, makes it easier, but to give your program the attention it needs to succeed, you should have, at the bare minimum, at least one security expert who can dedicate a substantial portion of their time to own it. Adding 'run the bug bounty program' to an already overworked, overloaded security professional will almost guarantee dissatisfaction with bug hunters working on your program (slow response times, poor communication, etc). If you don’t have someone who can dedicate sufficient time, you’ll either need to hire them, or if you're with Bugcrowd, enlist our professional services to enable your team's success.
Remember - running a bug bounty program is not the same as turning on a generic scanner whose results can be ignored until there’s time to address them, or a penetration test which delivers results on a predetermined date. Neglecting researcher submissions will do you no favors, and will undermine the potential success of your program.
2. Make sure you have visibility throughout your organization
Furthermore, know that running a bounty program doesn’t just stop at that one person. It’s also critical that the entire organization is aware of the bounty program, and policies are in place across departments.
First and foremost, you should have processes in place to ensure the timely processing and remediation of found issues, as well as prioritization guidelines over existing work (for instance, what happens when the first P1 comes in, etc). This will likely require working directly with multiple project owners, developers, and so on. And while it's most important that the technical folks are well informed and directed (don't forget to make sure your incident response team is aware, so they don't get 3am alerts, thinking that they're actually getting hacked), it’s also important that you understand the extent to which this will affect other departments. For example, marketing or sales folks should be aware of testing on public website forms, customer service folks should be prepared to field related questions, etc.
Undoubtedly, there will be a learning process to all of this, but by at least being aware, and addressing as much as you can prior to launch, you can spare yourself more than a few headaches and some last minute scrambling.
3. Know your attack surface
Lastly, before beginning a bug bounty program, and as you’re working towards taking it live, it is crucial to know your attack surface. It may sound unnecessary to call out, and should go without saying, but we cannot stress this enough. If you haven't done so already, doing an extensive audit of your apps and libraries will help you understand where and how you're vulnerable, and what is important to your business. That understanding will then help you plan for what you'll include and exclude from testing - ensuring more submissions are valuable to your organization.
Knowing and articulating your targets by clearly defining what is 'in scope' and 'out of scope', is the key to a successful program, as it will help focus researchers' testing efforts, and prevent incoming submissions on targets you forgot existed or don't want tested.
Once you have taken all these considerations into account, we recommend learning more about what it takes to write a successful bounty brief including guidelines around scope, exclusions, rewards and more. Read our Anatomy of a Bounty Brief for additional information.