We recently released State of Bug Bounty 2016 Report which aggregated data and trends from companies running bug bounty programs, and researchers participating in them. A major takeaway from the accompanying survey of security professionals was the response to 'What are your organization's apprehensions about running a bug bounty program?' The number one most popular answer was 'Not sure where to begin.'
To an extent, this is to be expected, as bug bounties are more recently being popularized. As more companies adopt this model and realize the potential value it brings, the market will continue to educate itself with our help. It has been one of our goals to catalyze this process, setting market standards for things like what a bug is worth, priority rating of vulnerability types, and more. In that same vein, we're educating the market on how to get started with a bug bounty program, and what the lifecycle of a bug bounty entails.
Bug Bounty Lifecycle:
The lifecycle of a bug bounty is broken down into five parts; program scoping, implementation, receiving bugs, remediating bugs, and iterating.
The first thing you and your company should do when evaluating the potential launch of a bounty program is to make sure you have sufficient resources to allocate to a bounty program and get buy-in from internal stakeholders. Next, it’s time to discuss your program goals unique to your business. Once you establish those goals, you’re ready to begin writing your bounty brief by setting your in-scope targets, focus areas, exclusions and incentive program. Download our resource on the Anatomy of a Bounty Brief
Once your program brief has been clearly and thoughtfully articulated, spend time discussing processes with you development team. These processes may involve creating templates and workflows, or integrate with internal development tools. When everyone is on the same page, you’re ready to launch and promote your program.
As submissions start coming in, triaging is necessary to determine if a vulnerability is valid, invalid or duplicate. Triage can be done by a designated in-house resource, or by a 3rd party resource such as Bugcrowd. Submissions marked valid will then be prioritized by how critical they are, and researchers will be rewarded or credited accordingly. Read more about 'What's A Bug Worth.'
Valid bugs must then be fed back into your development lifecycle and prioritized by criticality and in relation to existing workload. It is crucial that you work with your development team to understand implications of vulnerabilities at hand, and steps to implement fixes, either ad-hoc or in next code push.
Learning + Iterating:
Because testing is continuous, it is important to reassess results and goals continually, adjusting your program to meet these targets by redistributing resources, improving rewards, or running additional programs, such as a time-boxed, capped-cost Flex test. This continuous testing is also an excellent opportunity to learn to write better, more secure code.
To better understand the many variables affecting bug bounties and the bug bounty ecosystem, download our recent report on the State of Bug Bounty.