I’ve worked in the security industry now for about seven years, and in the responsible disclosure space for the last two and a half years. In that time I’ve heard and answered just about every question regarding legal, compliance and regulatory controls around vulnerability disclosure and bug bounties.
Bugcrowd’s goal from the beginning has been to utilize an incredibly efficient platform to facilitate the responsible disclosure of security vulnerabilities between organizations and the researcher community. That having been said, we understand that working with an incredibly savvy workforce of independent talent may raise some concerns, and it may surprise you to learn that the same goes for the researcher community. So whether you yourself have concerns, or your internal legal department does, we want to arm you with both logical justification and legal safety nets to put your mind at ease.
At the beginning of this year we released our ‘Defensive Vulnerability Pricing Model’ that answers the question “what’s a bug worth?”. This guide outlines how much organizations should budget for crowdsourced security programs, and what reward ranges attract the right talent. In short, this guide, informed by tens of thousands of vulnerability submissions and years of running public and private crowdsourced security programs, set the first market rates for security vulns by criticality, and now organizations are beginning to adopt this guidance.
During FS-ISAC last week, we had our ears to the ground, chatting with security folks about their concerns, challenges and hopes for application security testing and have set out to distill some of our observations and data to discuss the state of application security in the financial sector.
We recently published a comprehensive but abbreviated guide 'Anatomy of a Bounty Brief' which explores each part of a bounty program brief and how organizations can write them more clearly and thoughtfully. We also recently wrote about how important it is to consider 'step zero' prior to launching your program - to ensure that your organization has the the necessary resources and is fully prepared to run a successful program.
Once you've identified that you and your organization are ready to commit the necessary time and resources to running a bug bounty program, it's time to start building out your program brief - the first step of which, is setting the program scope.
Posted originally on by Stuart Hirst on Skyskanner's Code Voyager Blog
Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.
So you want to run a bug bounty program…
First off, congratulations! You’re on the cutting-edge of security and are in good company, surrounded by giants such as Google and Facebook who've run their own programs for years, as well as other innovators like Tesla , Pinterest, and Dropbox. Chances are, if you're considering starting your own program, you've started to think about what you want to test, and even what you might offer for rewards. Stop! Before you even start taking those steps, consider step zero.
To disclose, or not to disclose...
When it comes to disclosure, Bugcrowd encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. Our Standard Disclosure Terms and Researcher Code of Conduct outline our public disclosure policy, but each organization defines their own unique public disclosure policy of vulnerabilities reported through their bounty program. This document is intended to explain the disclosure options at Bugcrowd to both customers and crowd members.
We’ve proved here at Bugcrowd that traditional security assessments pale in comparison to leveraging a community of researchers. Today we want to talk about the options and benefits of our programs for both researchers and clients.