In the last installment of The Personalities that Put the “Crowd” in Bugcrowd (Part 2 of 3), I discussed the “Full-Timer” and “Virtuoso” personality types as part of the five distinct personalities that make up our crowd of nearly 70,000 security researchers. As stated previously, it's important to understand researcher motivations if you intend to run a successful bug bounty program. And to that end, I will be covering the final personality type in this post: the “Protector”. If you want to learn more about all five personalities - along with other interesting data and metrics about our crowd - check out our Inside the Mind of a Hacker 2.0 report. With that - let’s dive in!
If your mind immediately goes to The Avengers when you hear the term “Protectors” - well, you’re not very far off the mark. This group of remarkable people fights in the (Infinity) War on bugs so as to find those vulnerabilities that your scanners never could. Put simply, they come from the internet - and they are here to help. Unlike the other personality types - who might hunt bugs for fame, fortune, knowledge, or the thrill of the challenge, Protectors seek to find and disclose bugs because they want to make the internet a safer place for everyone.
So what drives these altruistic avengers to fight against the forces of bad coding? For one thing, many of these individuals came-of-age at around the same time as the internet; because of their experience growing up “online”, the internet gives off that nostalgic sense of “home” - and nobody takes kindly to villains attacking their home turf. There’s also a certain sense of satisfaction that comes from doing good on behalf of others - and that feeling drives the Protector to help companies identify and remediate vulnerabilities. In fact, many of these researchers donate their earnings from bug bounties to charity - taking an already good deed and maximizing the positive outcomes. These motivations are known to draw Protector’s attention to programs both public-and-private that have been running for some time, and will keep them hunting on such programs longer than most other personality types
So how do you draw a Protector’s attention to your applications? If your program has a high potential for finding valid bugs - and a broad enough scope - then Protectors will feel right at home when testing your applications. Furthermore, if your program has challenging targets that other researcher personalities found difficult, Protector’s will often manage to drag out serious vulnerabilities that move to the very top of your remediation list. With a Protector hunting on your program, you can rest assured that bugs in your code will have no place to hide.
Looking in the Mirror
In reflecting upon the various personalities I have described over this 3-part series, I would say that no individual presents with just one given personality - and I myself am no exception. At a young age I began my path into information security as an enterprising juvenile-delinquent with too much free time, and a 28.8 Kbps modem. At that stage of my life, I would attribute much of my antics to reckless adventures and knowledge-seeking behavior on the Internet - something I did largely as a hobby to fill the time. What’s more, I could get away with it because logging anything beyond authentication and/or financial transactions was expensive.
Now, If you’ve been reading along with this series you’ll probably recall the comment I made in the first article about why Knowledge-Seekers paint within the lines when testing - or, in the second article, when I stated that the plummeting cost of disk space has changed the history of security testing for the better. I made these comments because I can state with full confidence that, if I were to partake in the kind of reckless adventures today that I had in my youth, I would very-likely end up in serious trouble. Simply put - when you combine the plummeting cost of disk space with the ability to log and search all activity, there is a high probability that any misadventures will be caught. Bearing this in mind - with modern laws being what they are - bug bounty programs have become an alluring venture for security researchers of all ages, experience levels, and motivations.
When you build your program with Bugcrowd, being cognizant of the different personality types will help you draw-in the right mix of crowd personas; keeping your program going strong for the long-haul. Be thoughtful when scoping your program, as scoping it too-tightly could kill researcher interest before it gets off the ground; likewise, scoping too broadly at-the-outset could kill relationships with your company’s development team. Also, don’t be afraid to communicate with your researchers who have produced triaged vulnerabilities! If anything, being transparent and communicative will keep them testing for other bugs on your program while you prioritize current findings.
In closing, if I could give advice directly to any company looking at starting a bug bounty program, it would simply be this: be transparent, be communicative, and strive to be understanding of the researchers you are working with. These researchers are stepping forward with the right set of ethics to provide you with vulnerability findings that improve the security of your organization. Reward them, thank them, encourage them, and invite them to keep coming back for new challenges - if you do, everybody can win in the War on Bugs.
Thank you for following along with this series on the personalities that put the “crowd” in Bugcrowd. If you’ve enjoyed this series, let us know on Twitter @Bugcrowd - and tell them you want @andMYhacks to write more blog posts ;-)
Until next time - I’ve been Keith “andMYhacks” Hoodlet; Cheers!