Talented hackers are the key ingredient for any successful bug bounty program. They find the most interested and severe bugs, have high technical abilities, intense curiosity, and an eye for anomalies.
Bug bounty programs are competitive, with new challenging programs launching daily. Whether you are new to managing a bug bounty program or have years of experience, your bug bounty program needs to stand out to attract the top hackers.
Here are 5 tips for attracting the best hackers:
1. Go Beyond The Bounty
Award your best performing hackers. This sounds simple and logical in concept, but is harder to achieve in reality. Your top hackers are dedicating countless hours examining your software for vulnerabilities. Let them know they are appreciated. Here are a few examples of creative ways the most competitive teams reward their best hackers beyond paying bounties:
- Send limited edition swag to top hackers
- Co-author a blog post with a hacker who submitted a severe vulnerability
- Create a Twitter handle for your security team to praise hackers and highlight well written reports
- Fly in your top hacker to come and speak to your development teams
2. Pay Bounties At The Time Of Triage
Top hackers submit more reports to responsive programs. I’ve never spoken to a hacker who didn’t greatly appreciate fast turnaround and bounty payment. Paying bounties at time of triage is one way to increase hacker loyalty and repeat participation in your program. When you award a bounty at the time of triage, it signals to the hacker you are prioritizing his/her reports. There’s plenty of programs who wait until fix time to award bounties; if you want to get ahead of this curve, pay at time of triage.
3. Increase Your Rewards Over Time
The most competitive teams reevaluate their bounty prices regularly. We recommend you review your bounty prices every 6 months. Overtime your bounty minimum may increase or decrease, but ‘medium’ and ‘severe’ bounty payments should be consistently increasing to reflect your improved security. As your program matures, it will take more effort and time for hackers to find severe vulnerabilities, plus there are always shiny new programs launching which attract the attention of hackers with something fresh and interesting. The most competitive programs consistently increase bounties over time.
4. Set Clear Expectations Up Front
This may seem like a no-brainer, but I see many companies who don’t take the extra step to clearly articulate expectations in their policy. The most competitive programs use the scope to guide hackers to where they need their help the most. Being honest and transparent and sharing as much as possible up front with hackers sets the tone for your program. We also recommend sharing very clear expectations for average first response time, average resolution time, average time to bounty, and expected bounties by vulnerability type or severity. This information is already accessible in your HackerOne Dashboard. If your team isn’t comfortable sharing exact numbers for response times and bounties, use a range.
5. Ask Your Hackers For Feedback
This may sound like a cumbersome task, but is easier that you think. There are many ways to survey your hackers, whether it’s informally at the closure of a report, or working with HackerOne to send out a survey to your participating hackers. This is a great way to capture invaluable feedback to improve your program. By proactively taking steps to show hackers you care and value their feedback, you’re doing more than some of your peers.
For public programs, a sure way to stand out is to be forthright with public disclosures. Not only are you contributing to the security community, you will pleasantly surprise many hackers by initiating the public disclosure. HackerOne offers both limited and full public disclosures, along with Summaries so your team has control over what content will be shared publicly, including the ability to redact any sensitive information.
Please contact firstname.lastname@example.org if you want guidance in implementing ideas to make your program more competitive. We are here to serve as a resource and advisor to help you build a successful and robust bug bounty program.
Mary Xu, Customer Success
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.