We have more than 1,300 customers on the HackerOne platform, so we know what it takes to build a successful bug bounty program. We also know that companies of any size and in any industry can successfully design, launch, and run a bounty program. All you need is some experience, some best practices, and some guidance.
Our “Crawl, Walk, or Run” webinar will help you understand how companies of all sizes and security acumen can launch a bug bounty program at any pace. The webinar features Tara Hooey, a HackerOne program manager responsible for helping onboard and train new customers on everything from bounty structures to understanding program data and interpreting results. If the webinar title didn’t give it away, there’s an approach to starting your own bounty program no matter how big your team, how advanced your security apparatus, or how many resources you have to devote.
Bandwidth Doesn’t Dictate Bug Bounty Success
Tara talked about getting bug bounty programs started at companies of all sizes, from startups to mid-market companies to huge global enterprises. Budgets and headcounts aren’t a predictor nor prerequisite for success, she explained. What’s more important is the organization’s readiness and commitment to a bug bounty program. With more hackers bringing more diverse skills and approaches, and a continuous focus, more bugs will be found and teams must be ready.
“Too much information is a good thing,” said Tara, as she explained how many organizations are worried about getting too many bug reports from a bounty program. “Being more informed helps you make better decisions.”
But incoming bug reports shouldn’t imply that smaller or strapped teams will be overwhelmed. The available bandwidth of a security team or engineering team can be used to define how a bounty program is structured. There are many controls available to throttle aspects of the program, and even incoming report volumes can be limited.
You’re Always In Control
Creating a private program and inviting just a few hackers to look at a limited attack surface, Tara explained, are simple ways to adjust a program. From there, it’s easy to push and pull the various program levers to limit or increase the volume of incoming vulnerability reports to ramp up your program as your needs and process evolve.
Process, Tara added, is a critical key to any bug bounty program’s success. Regardless of company size, it’s important to know and define the internal processes that take over once a new bug report arrives. Where is that report is routed, who sees and reviews it, and how it gets to the correct resources all impact the success of the program. Getting those steps defined at the beginning is both a good exercise for the company and a good predictor of bounty program success.
Commitment is Key
Commitment to the program is also critical to success. “Even if you have unlimited resources and bandwidth, without commitment there is no chance of success,” Tara said. Getting support from security, engineering, management, and other involved teams before launch gives ownership and encourages active participation. Furthermore, appointing a champion who is focused on the program’s success also helps ensure the program gets the proper internal visibility and support.
The webinar covered many other topics for those considering a new bug bounty program, such as vulnerability management workflows, program best practices, success metrics, and more. Click here to watch the complete 25-minute webinar on-demand, including an audience Q&A at the end.
To learn how other organizations have scaled their security programs across assets and to gain a wider impact, check out our customer case studies.