5 Keys to Successfully Running a Bug Bounty Program

download 5 Keys to Successfully Running a Bug Bounty Program

of 18

  • date post

    07-Aug-2015
  • Category

    Internet

  • view

    70
  • download

    1

Embed Size (px)

Transcript of 5 Keys to Successfully Running a Bug Bounty Program

  1. 1. ! ! 5 TIPS FOR A SUCCESSFUL BUG BOUNTY The premier platform for crowdsourced cybersecurity. casey@bugcrowd.com jcran@bugcrowd.com
  2. 2. ! All content (c) Bugcrowd Inc, 2014 - All rights reserved. the problem Without crowdsourcing, security is not a fair fight. HACKED HACKED HACKED HACKED HACKED HACKED
  3. 3. ! All content (c) Bugcrowd Inc, 2014 - All rights reserved. about your presenters @caseyjohnellis Founder and CEO, Bugcrowd Recovering pentester turned solution architect turned sales guy turned entrepreneur Founder and CEO of Bugcrowd @jcran VP Delivery, Bugcrowd Bugcrowd bounty hunter turned Bugcrowd employee. Former positions with @Rapid7, @Metasploit, @PwnieExpress
  4. 4. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Why arent you running one already? I dont have resources now, let alone to do this. Crowdcontrol was built to maximize the efciency of a bug bounty, and we a triage team of 8 people. I cant cap my spend. Bugcrowd Flex lets you run a point in time or ongoing bug bounty with a capped cost. I wont be able to pause or stop the program if I ever need to. We can route researcher trafc through the Crowdcontrol Sandbox for total control. Payments to all those countries would be a nightmare. It totally is. Thats why we got good at it, so you dont have to. I wont be able to tell whether its bounty trafc or an actual attack. The Crowdcontrol Sandbox gives a single source IP, so you can. I wont know who these people are. Bugcrowds Elite tier have proven track record on public bounties, and we vet them into that tier.
  5. 5. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. bug bounties are awesome, but hard.
  6. 6. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. bugcrowd at Work Crowdsourced security to fit your needs Free Responsible Disclosure Capped cost Ad-hoc or continuous Elite tier researchers Flex Bounty Continuous testing Monthly fee + transaction fee Bug Bounty
  7. 7. ! All content (c) Bugcrowd Inc, 2014 - All rights reserved. DOES IT WORK? Traditional penetration test Bugcrowd Flex Cost $20,000 $20,000 # of researchers 1 349 Manhours 80 80 in the first 8 elapsed hours Vulnerabilities 5 38 P1 issues 0 7
  8. 8. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. the one mistake everyone makes People assume that 80% of the work will go into dealing with the new vulnerabilities theyve found out about. 80% of the work goes into dealing with the people. If you dont factor this into your planning, your program will fail.
  9. 9. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. 5 Keys to a successful program Prepare ahead of time Align expectations Communicate early and often If you make a change, reward the submitter Respect the researcher
  10. 10. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Preparation A bug bounty will affect your entire organization Start with low rewards Accidental bug bounties are the worst Running out of budget on the program is no fun
  11. 11. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Align expectations A clear program brief is your rst line of communication Proactively communicate what youd like to see When processing submissions, you should be able to point to prior communication when rejecting or rewarding a submission The only time youll have issues is if an expectation goes unmet
  12. 12. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
  13. 13. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Communicate early and often This is the mistake everyone makes:! Bug bounties are all about managing the researcher relationship! Let the researcher know what to expect. Stick to your word In the absence of communication, suspicion is king Its not hard, but requires diligence
  14. 14. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Make a change, reward the submitter Touch the code, pay the bug This has become a community norm Its a binary yes / no Even if its out of scope
  15. 15. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Respect the researcher The researcher is taking a signicant risk Many are inexperienced, some are not Treat everyone the same. Even the researchers that dont provide valuable submissions Close the loop on all incoming submissions
  16. 16. Questions?
  17. 17. Want a demo? Ping us!!!
  18. 18. @caseyjohnellis and @jcran https://bugcrowd.com casey@bugcrowd.com jcran@bugcrowd.com