Skip to main content

Security Leads Share Bug Bounty Program Tips

  • July 31st , 2015

Yesterday, I ran an invitational security panel featuring security leads from large and small companies with varying levels of vulnerability disclosure programs. We curated the audience members and panelists for strong participants, which meant the lessons shared as a result were really valuable as everyone in the room was thinking about the problem. These were some of the takeaways that had consensus among the panelists:

  • Good hackers can turn into contractors that can focus on specific parts of your application. For some of our panelists, they recruited some into full time hires on several occasions.
  • Being explicit with your reward structure is not only important for managing hackers' expectations but also for managing noise. It is a strong deterrent to hackers from submitting bad reports. It can also be used as an internal metric for quantifying your security debt. Hackers talk to hackers and having vague rewards can cause issues.
  • Bounty programs were valued for negative headline and punchline mitigation. You can improve PR situations regarding a vulnerability with "and it was responsibly disclosed and patched quickly", instead of the alternative.
  • It is recommended to launch bounty programs with a tight scope (maybe some swag too) and then slowly ramp up when you get comfortable with your engineering workflow. Panelists regretted not doing this with their previous programs when tools weren't available to do so.
  • Bounty programs and penetration tests are complementary. Using pen testers to target specific parts of your application, or to simulate different type of attackers to test your defense infrastructure is a much more effective approach than one or the other.

I hope the takeaways will be useful for your security team. If you're curious to learn more about bounty programs or security disclosures, read my post on Bounty Launch Lessons and Disclosure 101.

  • Magoo

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…