Anatomy Of A Bug Bounty Budget
- April 13th , 2016
Organizations are leveraging bug bounty programs like never before, yet few know how to budget for it. At HackerOne, we run a competitive bug bounty program of our own and also help our customers plan and budget for their bug bounty programs accordingly. Here are key things to consider when budgeting for your bug bounty program.
Make The Case To Your CFO
CFOs are responsible for making sure the company is allocating resources appropriately to address all business needs. Security is now a requirement for doing business. Any security incident has the potential to negatively impact customers, revenue, the brand and even result in leadership losing jobs.
Given security vulnerabilities pose a high business risk, a CFO must allocate resources to address it. It is like buying business insurance, but better, because this allows you to proactively fix security vulnerabilities in many cases BEFORE they can be exploited by a criminal. For us at HackerOne, running a bug bounty program is similar to insurance because every time we reward a bounty, we know it impacts HackerOne's security. No CFO will run a business without basic business liability insurances. When you present the need for a bug bounty budget this way, most CFOs will understand it.
Remember many of your systems are exposed to the whole world everyday. To think a few people tasked with security can find every vulnerability in your system is not realistic. For these reasons, we increasingly see a company's board or CEO mandating a public vulnerability coordination and/or a bug bounty program as part of a comprehensive security strategy.
What Makes Up a Bug Bounty Budget
A typical bug bounty budget contains three key components: bug bounties, bug triage, and bug bounty program management
This is the money you reward hackers for the reported and resolved bugs. Bounties are used to reward, attract, and retain top hackers. How much you pay for each report depends on the value of that report to you and the severity of the issue. We see bounty rewards that range from $100 a report to $30,000 a report, with new bounty ceilings broken continuously. How much you pay for each bug depends on the potential impact and severity of the bug and the security maturity of your system.
Another element to consider when looking at bounties is the actual process of payments. One of the benefits of a crowdsourced approach is that you get to work with talented hackers from around the world. But for many security teams it would be a challenge to process bounty payments for hackers from all corners of the world. For many teams trying to run these programs themselves, this also poses a challenge when it comes time to process these bounty payments to hackers globally. For most companies, when you consider processing time and fees, this is just not practical. To make this easy for our customers HackerOne charges a 20% fee, which covers free access to many of the platform features, payment remittance to hackers, and all other associated services for payment processing such as tax form collection, year end 1099 issuance, etc.
This is the manual operation of validating the reported vulnerabilities, ranking them with severity, and then reporting these bugs back to the development teams so that they can reproduce the issues before fixing them. This triage can be done with internal resources, or as contract work with others or HackerOne. Bug triage requires special technical skills, its cost scales with the volume of reports, and complexity of bugs reported. Many HackerOne customers manage triage themselves but we also offer HackerOne managed for customers that are looking for help in this area.
Bug Bounty Management:
This is the day-to-day operations of managing your competitive bug bounty program. It includes rewarding reported vulnerabilities, communicating with hackers regarding reports, managing bounty budget, and figuring out how to retain and attract top hackers to look at your system. A bug bounty program is a powerful way to discover your security vulnerabilities and it takes skill and experience to run it well. You can manage it yourself if you have skilled staff, or you can hire the pros to manage it for you. Similar to triage, many HackerOne customers manage their programs themselves but we frequently receive request for support in this area. Feel free to contact us if you want to learn more about our offerings.
Bug Bounty Budgeting Basics
Here is a basic guide for a bug bounty program budget that includes a ballpark range of the various cost components. These numbers are estimates based on the average expected number of bugs reported, percent of valid bugs, and the industry average bug bounty rate.
If you have staff to triage bugs internally, you don't have to budget for the triage cost. If you have staff to manage the bug bounty program, you don't need to pay for the management cost. Ultimately, the budget is driven by how many bugs are reported, and of those how many are high, medium, low severity.
We categorize the budget into three groups roughly based on a system's attack surface, its complexity and importance to your business. For example, one may say that a simple mobile app has a 'small' attack surface. But if this app is functionally your entire business, has millions of users, and contains users' personally identifiable information, a security bug in this app could be extremely damaging. While the technology itself may be 'small' we recommend you consider the attack surface of this app as 'medium' or 'large' given the potential impact to your business. On the other hand, a system that is mostly an informational website, with little personal data, primarily static pages and some dynamic pages without user login capabilities would likely have a 'small' attack surface.
|Bug Bounty + Processing Fees||$14,000||$100,000||$450,000|
|Bug Bounty Management||$24,000||$60,000||$100,000|
|Total Annual Bug Bounty Program Cost||$46,000||$180,000||$600,000|
Here is how we arrived at these numbers:
Small Attack Surface:
If you have a system with a small attack surface, you should plan for roughly a $14,000 annual bug bounty budget. This translates to about $1,000 a month for bounty awards and $200 for processing fees. Top hackers are highly skilled technical people, many of them work full time as developers or security professionals and hack in their freetime. Let's say their time is worth at least $150 an hour in the marketplace, then $1,000 pays for 7 hours a month. For a small system, this is probably the minimum level to start with. If the system is critical to your business, $1,000 a month is a worthwhile spend to attract skilled hackers to report vulnerabilities in your system. The budget will increase to about $50,000 a year if you need to outsource bug triage and program management.
Medium Attack Surface
We expect many more bugs reported for a medium-attack-surface system, thus you should plan roughly a minimum of $100,000 a year for a bug bounty program. The minimum increases to roughly $200,000 a year if you need to outsource bug triage and bug bounty program management.
At $200,000 a year, the program's cost is comparable to one fully loaded experienced engineer hire. The benefits you get from a bug bounty program at this level is more broad than having just one skilled full time security engineer in many cases. With a bug bounty program at $200,000 a year, you get the peace of mind knowing your system is looked at by good, ethical hackers who are incentivized to look for, and report security bugs in a timely fashion to you. Note, the management of a bug bounty program at this level is more complex because you would work with more hackers and there are more reports to handle.
Large Attack Surface
If you have a large attack surface, you should budget around $500,000 a year for a bug bounty program, or roughly $1,000,000 a year for a fully managed service. Any system that has a large attack surface is dealing with complex systems that are critical to your business, a severe vulnerability could result in tens of millions of dollars in damage. Spend $500,000 to $1,000,000 a year to help ensure you are finding potentially severe vulnerabilities is a reasonable cost to supplement internal resources to protect your business and your brand.
We realize bug bounty programs are new for many teams and we hope you find this useful. As always we want to hear from you. Please send any of your budgeting tips or feedback to email@example.com
Note that the above numbers are generalizations prepared for a US-based company. Geographic location influences the cost profile, and each company is unique in its own way. HackerOne's most successful customers spend over $1 million a year on bug bounty programs, and some of the newcomers get going on minimal budgets
Ning Wang, CFO, HackerOne