The bug bounty lifecycle is a very fluid process, from strategic planning to program launch to learning from and iterating your program. Get the illustrated guide below:
Last week we talked about the first part of launching a bug bounty program–strategy and planning. Once your organization has aligned resources, set program goals, articulated testing scope, and determined rewards range, it's time to launch!
Bugcrowd supports all customers during the launch process and provides hands-on support throughout all programs. This post will dive into what to expect once you launch a bug bounty program.
#1: Receiving bugs
Once your program is live–public or private–you'll receive submissions almost immediately. Volume is often highest for the first several weeks, and you can expect higher volume and quality of findings than that of 'traditional' security assessments. While your team has visibility over all activity, Bugcrowd's technology and team of experts manage the entire vulnerability reporting process.
#2: De-duplication and initial triage
With the help of Bugcrowd's enterprise-grade platform Crowdcontrol, all bugs are filtered to identify only unique findings that are within the program testing scope. This process utilizes proprietary technology to eliminate false positives and deliver actionable results.
#3: Expert validation
With each of Bugcrowd's bug bounty solutions, you also gain access to hands-on management from in-house experts. All unique and in scope submissions are validated by one of Bugcrowd's in-house application security engineers. Once validated, we also provide a prioritization and reward recommendation based on our Vulnerability Rating Taxonomy (VRT) and your organization specific guidelines.
#4: Making payments
At this point, your team has received valid, ready-to-fix vulnerabilities with reward and prioritization recommendations. From there, your team can accept the recommendations, request more information, or alter the recommendation based on your individual context. Once verified, Bugcrowd's platform facilitates all payments via Paypal or Payoneer, saving your team the hassle of transferring currency globally and ensuring researchers are paid quickly and seamlessly.
#5: Prioritize fixes
Bugcrowd makes the bug bounty management process insightful and hassle-free so you're ready to remediate vulnerabilities with all the necessary information. Furthermore, Crowdcontrol integrates with tools such as JIRA, to bridge the gap between your program and your development team and remediate vulnerabilities faster.
#6: Remediate vulnerabilities
It goes without saying that the last step in this process is to fix vulnerabilities. Bug bounty programs provide incredible vulnerability feedback channels but require consistent upkeep. With a fully managed solution, you have all the information you need to accurately prioritize remediation within the appropriate teams.
Next week, we'll talk about learning from your bug bounty program and iterating it over time. To learn more about how bug bounty programs can support your SDL/SDLC, download our recent guide '4 Reasons to Build a Bug Bounty into your AppSec Strategy.'