Download - 5 Keys to Successfully Running a Bug Bounty Program

!!5 T IPS FO R A S U C CESSFU L BUG BOUNTY

The premier platform for crowdsourced cybersecurity.

[email protected] [email protected]

mailto:[email protected]


!All content (c) Bugcrowd Inc, 2014 - All rights reserved.

the problem

Without crowdsourcing,

security is not a fair fight.

HACKED

HACKED

HACKED HACKED

HACKED

HACKED


about your presenters@caseyjohnellis

Founder and CEO, Bugcrowd

Recovering pentester turned solution architect turned sales guy

turned entrepreneur

Founder and CEO of Bugcrowd

@jcran VP Delivery, Bugcrowd

Bugcrowd bounty hunter turned Bugcrowd employee.

Former positions with @Rapid7, @Metasploit, @PwnieExpress

CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.

Why aren’t you running one already?“I don’t have resources now, let alone to do this.”

Crowdcontrol was built to maximize the efficiency of a bug bounty, and we a triage team of 8 people.

“I can’t cap my spend.”

Bugcrowd Flex let’s you run a point in time or ongoing bug bounty with a capped cost.

“I won’t be able to pause or stop the program if I ever need to.”

We can route researcher traffic through the Crowdcontrol Sandbox for total control.

“Payments to all those countries would be a nightmare.”

It totally is. That’s why we got good at it, so you don’t have to.

“I won’t be able to tell whether it’s bounty traffic or an actual attack.”

The Crowdcontrol Sandbox gives a single source IP, so you can.

“I won’t know who these people are.”

Bugcrowd’s Elite tier have proven track record on public bounties, and we vet them into that tier.


bug bounties are awesome, but hard.


bugcrowd at Work Crowdsourced security to fit your needs

Free

Responsible Disclosure

Capped cost

Ad-hoc or continuous

Elite tier researchers

Flex Bounty

Continuous testing

Monthly fee + transaction fee

Bug Bounty


DOES IT WORK?Traditional

penetration test Bugcrowd Flex

Cost $20,000 $20,000

# of researchers 1 349

Manhours 80 80… in the first 8 elapsed hours

Vulnerabilities 5 38

P1 issues 0 7


the one mistake everyone makes

• People assume that 80% of the work will go into dealing with the new vulnerabilities they’ve found out about.

• 80% of the work goes into dealing with the people.

• If you don’t factor this into your planning, your program will fail.


5 Keys to a successful program

• Prepare ahead of time

• Align expectations

• Communicate early and often

• If you make a change, reward the submitter

• Respect the researcher


Preparation

• A bug bounty will affect your entire organization

• Start with low rewards

• Accidental bug bounties are the worst

• Running out of budget on the program is no fun


Align expectations

• A clear program brief is your first line of communication

• Proactively communicate what you’d like to see

• When processing submissions, you should be able to point to prior communication when rejecting or rewarding a submission

• The only time you’ll have issues is if an expectation goes unmet


Communicate early and often

• This is the mistake everyone makes:!

• Bug bounties are all about managing the researcher relationship!

• Let the researcher know what to expect. Stick to your word

• In the absence of communication, suspicion is king

• It’s not hard, but requires diligence


Make a change, reward the submitter

• “Touch the code, pay the bug”

• This has become a community norm

• It’s a binary yes / no

• Even if its out of scope


Respect the researcher

• The researcher is taking a significant risk

• Many are inexperienced, some are not

• Treat everyone the same. Even the researchers that don’t provide valuable submissions

• Close the loop on all incoming submissions

Questions?

Want a demo? Ping us!!!

@caseyjohnellis and @jcran

https://bugcrowd.com

[email protected]

[email protected]

https://bugcrowd.com

