In our recent webinar, “Bug Bounty Programs: Lessons Learned From Implementation In The Financial Service Industry”, we heard some great tips from an appsec leader at one of the world’s largest financial services companies. Jason Pubal, director of application security at this large firm, talked about his work over the past 2 years in preparing for and launching a bug bounty program on HackerOne. You can watch the replay here.
The firm started preparing for a bug bounty program in 2017, when they started working to improve and develop their current vulnerability management processes. As Jason explained, getting those processes in place and working well helped to ease their implementation of a bug bounty program. Once their processes were in place, they then launched their bug bounty program in early 2018. The current scope includes all public and consumer-facing applications, and is run as a private bounty program.
As Jason recounted their story, here are 4 tips he highlighted to help those thinking about launching their own bug bounty programs.
First, build a good vulnerability management process. “Implementing a bug bounty program is pretty easy if you have a solid vulnerability management process already in place,” said Jason. Since they took the time to build a solid process, Jason remarked that the rollout of their bug bounty program was “actually easier than expected.”
Second, be prepared to change your thinking on appsec for agile development techniques. Jason’s firm runs 2-3 week sprints, which eliminated the week or so they used to have to run penetration tests. Their testing process had to change, but it couldn’t be dropped. They shifted from a “gatekeeper” approach to continuous security. Now they combine pen tests with their bounty program, letting the pen tests focus on specific areas while the bounty program can provide a more comprehensive blanket of scrutiny.
Third, automate your appsec program. Jason’s team leveraged HackerOne’s APIs to pull bug reports into what they call their findings database. Then, they merge that information with asset data so bugs can be scored based on risk. For example, if an asset is connected to PII, the bug gets a higher score. The bug report, scoring, and asset data is all then sent to their bug tracking system and emails are sent to application owners. And it’s all automated!
“My entire team could literally take a month off, researchers would continue finding and reporting things, the HackerOne triage team would continue triaging the bugs,” Jason explained. “Without any action at all from my team, bugs get found, reported to the application teams, and things get fixed.”
Finally, use the operational levers available through HackerOne. Jason deployed HackerOne’s VPN service to capture meaningful data which gave him the insights and capabilities he was looking for.
Jason also started with a private program, inviting hackers with the right skills and exceptional quality to participate. Their private program began with just 5 hackers, but quickly grew to more than 30 participating today.
For 2019, Jason and his team are preparing to move to a public bug bounty program, as well as expand the scope to every internet-facing app in their portfolio. This will include mobile and B2B apps, as well as their APIs.
To learn more about Jason’s experience launching a bug bounty program with HackerOne, watch the webinar here.