5 Reasons NOT To Start a Bug Bounty Program: Real Talk with HackerOne

hackerone.com @hacker0x01hackerone.com @hacker0x01

hackerone.com @hacker0x01

Who is this guy?

2

● Adam Bacchus

● Work

○ Pentester (~4 yrs)

○ Google (~4 years)

○ Snapchat (~1 year)

○ HackerOne

● Play

○ Gaming

○ Playing with fire


What is a bug bounty program?

3


5 reasons NOT to start a bug bounty program

4

1. Who are these hackers? Can I trust them?

2. It’ll be a PR disaster!

3. It’s a budgeting black hole!

4. We don’t have bandwidth to start and run a bounty program!

5. (??? to be revealed later ???)


#1 - Who are these hackers? Can I trust them?

5



6

● Anyone from across the world!

● Student hackers

● Professional hackers

● Casual hackers

● Young, old, all genders, all races - everyone



7

● Why do they hack?

○ Intellectual curiosity

○ Recognition

○ It’s the “right thing” to do

○ Financial rewards

○ Helping protect brands they like

○ Satisfaction from improving security



8

Reality check:1. Vulnerabilities are inevitable.

2. Hackers are gonna hack.3. Give them the opportunity to do the right thing!



9

● What if they go outside of scope?● What if they leak vulnerability details?

● What if they use what they found as a weapon against me?



10

What if they go out of scope?

● First step - create a “rules page,” AKA your “security page”

● What’s in scope? What’s out of scope?

● How do they contact you?

● Are you offering rewards?

● Rules page is an iterative process



11

Transparency is key!Transparency reduces misunderstandings.



12

● What if they go outside of scope?

● What if they leak vulnerability details?● What if they use what they found as a weapon against me?



13

What if they leak vulnerability details?

● Set the “rules of the road” in your security page

● No disclosure until the bug is fixed! Otherwise, you’re outta here

● When are bounties paid?

● Incentives + negative impact

○ Loss of reputation for the hacker

○ Other companies won’t want to work with them



14

Transparency is key!Transparency reduces misunderstandings.



15

● What if they go outside of scope?

● What if they leak vulnerability details?

● What if they use what they found as a weapon against me?



16

What if they use what they found as a weapon against me?

● Hackers are gonna hack; it’s a race between good and evil

○ Truly evil hackers aren’t going to bother with your bug bounty

○ Encourage friendly hackers to find and report bugs first

● Clearly state to use test accounts only in your security@ page

○ Hacking other users is not allowed!

● Outline the limits of testing in your security@ page

○ How far should/shouldn’t a hacker go with a PoC?



17

Did I mention transparency yet? :)


#2 - It’s a budgeting black hole!

18



19

● I don’t know how much budget I need for bounties!● This sounds like it costs a ton of money! What’s my ROI?


#2 - It’s a budgeting black hole!I don’t know how much budget I need for bounties!

● Start small! Ensure your scope is well-defined

● Figure out your bounty pricing structure

● Think of vulnerability types and scopes that matter most to you

○ These areas should have higher rewards

○ Healthcare? Bugs that expose patient data

○ Financial? Bugs that alter financial data

○ Advertising? Bugs that impact daily revenue

○ etc.

20



21

I don’t know how much budget I need for bounties!

● Consider starting with a “private” / invite-only program first

● Test the waters

● Avg. bounty based on HackerOne data = $500 per bug

● Check out similar bug bounty programs to see how they structure pricing



22

● I don’t know how much budget I need for bounties!

● This sounds like it costs a ton of money! What’s my ROI?



23

This sounds like it costs a ton of money! What’s my ROI?

● What’s more expensive - getting breached, or getting a head’s up from a friendly hacker?

● Data from bug bounty programs helps you identify gaps in your SDLC

● Positive security PR by virtue of even having a bounty program

● HackerOne has ROI tools to walk you through this; contact [email protected] for more info

The Dept. of Defense paid $5 million+ over three years to a single vendor which found < 10 vulns. Hack the Pentagon bug bounty program cost $150k and resulted in 138 valid vulnerabilities. That’s 14x output for 1/33 the cost!


#3 - We don’t have bandwidth!

24



25

● Our security team is already swamped, how can we find time to run a bounty program?

● We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?



26

Our security team is already swamped, how can we find time to run a bounty program?

● It definitely takes time

● Initial launch will have the biggest flood of reports

● Consider a “private” / invite only program to start out



27

Our security team is already swamped, how can we find time to run a bounty program?

● Setup a weekly on-duty/interrupts rotation

● Primary on-duty is responsible for responding to all reports

● Share the operational load, prevent burnout

● Depending on volume, assume 20 hrs / week initially

● Otherwise, you can pay to play

○ HackerOne offers various levels of managed service for triaging reports, managing bounties, etc.



28

● Our security team is already swamped, how can we find time to run a bounty program?

● We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?



29

We have a hard enough time getting developers to fix security bugs in a timely manner today, and you want me to pile more security bugs on top of that?

● Engage early with your dev team; “bugs are coming”

● Bugs are live in prod and were found by a friendly hacker

● This means an evil hacker could find it too

● Provides real world motivation for more timely remediation

● Improve security culture and priority throughout the org



30


● This is a new stream/source of bugs

● Tie-in to your existing vulnerability management processes

● Ensure the impact of the issue is clearly communicated

○ Classify severity of the issue (ease of exploit, impact, what’s affected, etc.)



31


● If devs have questions, be the glue between them and the hacker

● Create incentive programs for devs, celebrate:

○ Fastest fixers

○ Cleanest code

○ Most improved

○ etc.


#4 - It’ll be a PR disaster!

32



33

● Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak!

● What if we disagree with a hacker and they go to the media?

● My PR team would never allow us to do something like this!


I mean, nobody does this stuff!


...and even if they do, no one talks about it



36

Who would publicly

state they wanted help

from hackers?



37

Isn’t having a bug bounty program the same as admitting we can’t handle security ourselves? It makes us look weak!

● It’s impossible to catch everything yourself

● Bug bounty programs let friendly hackers work with you to help identify issues before the bad guys do

● Big names have public programs - they are a best practice

○ Not having a program puts you behind the race

● Even the US DoD invited hackers to Hack the Pentagon!



38


● What if we disagree with a hacker and they go to the media?● My PR team would never allow us to do something like this!



39

What if we disagree with a hacker and they go to the media?

● Transparency and high quality comms to keep things smooth

● Invariably you’ll have an outlier wanting to go public on a non-issue

● If it’s truly a non-issue, the hacker will end up looking silly



40


● What if we disagree with a hacker and they go to the media?

● My PR team would never allow us to do something like this!



41

My PR team would never allow us to do something like this!

● Having a publicly facing bug bounty program is actually a source of greatsecurity PR

● Your public bug bounty program is a public track record of your commitment to security

● Security is a competitive differentiator

● Need to ensure PR understands how bug bounties work

● Show them examples of positive security PR from bug bounty programs (e.g. Hack The Pentagon)


#5 - ???

42

● Alright, the fifth reason NOT to start a bug bounty program… (drumroll please)


#5 - I don’t know where to start!

43

I don’t know where to start!

● Maybe you’re convinced - you’re ready to start a program… but how?

● There are a ton of resources out there to get started

● Lots of great existing examples...



44

Example: Uber’s rules page - hackerone.com/uber



45

Example: Twitter’s rules page - hackerone.com/twitter



● HackerOne’s “Hacktivity” feed: https://hackerone.com/hacktivity/popular

● Collin Greene’s blog on bug bounty programs: https://hackerone.com/blog/bug-bounty-5-years-in-uber-facebook

● Creating a private team on HackerOne:https://hackerone.com/teams/new

● Crafting your security page:https://hackerone.com/blog/Bug-Bounty-or-Bust-Crafting-Your-Security-Page

46


So… why shouldn’t you start a bug bounty program?

47

1. Who are these hackers? Can I trust them?

2. It’ll be a PR disaster!






48

1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster!






49

1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster! Bug bounty programs improve your security PR

stature3. It’s a budgeting black hole!





50

1. Who are these hackers? Can I trust them? Friendly hackers are your friends!2. It’ll be a PR disaster! Bug bounty programs increase your security PR

stature3. It’s a budgeting black hole! Estimate your budget and start small4. We don’t have bandwidth to start and run a bounty program!




51


stature3. It’s a budgeting black hole! Estimate your budget and start small4. We don’t have bandwidth to start and run a bounty program! Sell the ROI to

get buy-in on necessary resources, build a great structure around operational coverage




52


stature3. It’s a budgeting black hole! Estimate your budget and start small4. We don’t have bandwidth to start and run a bounty program! Sell the ROI to

get buy-in on necessary resources, build a great structure around operational coverage

5. (??? to be revealed later ???) Get started!


Conclusion

53

Thanks for watching!

1. HackerOne’s “Hacktivity” feed: https://hackerone.com/hacktivity/popular

2. Collin Greene’s blog on bug bounty programs: https://hackerone.com/blog/bug-bounty-5-years-in-uber-facebook

3. Creating a private team on HackerOne:https://hackerone.com/teams/new

4. Crafting your security page:https://hackerone.com/blog/Bug-Bounty-or-Bust-Crafting-Your-Security-Page

Twitter: @sushihack

5 Reasons NOT To Start a Bug Bounty Program: Real Talk with HackerOne

Technology

Transcript of 5 Reasons NOT To Start a Bug Bounty Program: Real Talk with HackerOne