Yesterday, I ran an invitational security panel featuring security leads from large and small companies with varying levels of vulnerability disclosure programs. We curated the audience members and panelists for strong participants, which meant the lessons shared as a result were really valuable as everyone in the room was thinking about the problem. These were some of the takeaways that had consensus among the panelists:
- Good hackers can turn into contractors that can focus on specific parts of your application. For some of our panelists, they recruited some into full time hires on several occasions.
- Being explicit with your reward structure is not only important for managing hackers' expectations but also for managing noise. It is a strong deterrent to hackers from submitting bad reports. It can also be used as an internal metric for quantifying your security debt. Hackers talk to hackers and having vague rewards can cause issues.
- Bounty programs were valued for negative headline and punchline mitigation. You can improve PR situations regarding a vulnerability with "and it was responsibly disclosed and patched quickly", instead of the alternative.
- It is recommended to launch bounty programs with a tight scope (maybe some swag too) and then slowly ramp up when you get comfortable with your engineering workflow. Panelists regretted not doing this with their previous programs when tools weren't available to do so.
- Bounty programs and penetration tests are complementary. Using pen testers to target specific parts of your application, or to simulate different type of attackers to test your defense infrastructure is a much more effective approach than one or the other.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.