Security@: The Top 3 Bug Bounty Lessons From Security Leaders

HackerOne’s Security@ conferences are exclusive events that bring together customers, hackers, and industry experts to share opinions and advice about building resilient security programs.

Security leaders from Booking.com, Polygon Labs, Delivery Hero, and Headspace took to the stage to discuss their experience of working with ethical hackers, from securing executive buy-in from their programs to feeding data from vulnerability reports back into their SDLC to build stronger products and services. 

Here are the top lessons we learned from our customers.

1. Getting the Right People on Board Guarantees Bug Bounty Success

The Security@ panelists discussed the importance of fostering internal champions, having a clear owner and escalation process, motivating vulnerability remediation, and starting your bug bounty program early on in development.

“Internal champions are invaluable to your security efforts if you’re trying to shift to a culture that prioritizes security. At Headspace, we established advocates in our C-suite and created security champions across our departments; they are now an extension of the security team and can support their colleagues to also embrace security.”
— Shobhit M., Security & Compliance Director, Headspace

“In order to take our bug bounty program public, we needed to ensure we had enough tooling and automation — and find the right owner. We have over 3,000 developers, so it’s hard to determine who fixes each vulnerability, and it’s important to have a process to escalate the issue. We don’t want hackers to get frustrated with the remediation time; if a hacker reports something, we need to fix it as soon as possible, not only for the security of the company but also for the benefit of the hackers.”
— Eric Kieling, Head of Application Security, Booking.com

“We have connected the vulnerability management program with a gamification approach of the security framework. It gamifies and pushes entities in different regions to improve certain security requirements. When there is a critical vulnerability, teams are given SLAs. It’s a nontraditional way of thinking about security, but it means everyone is trying to fix their vulnerabilities before everyone else.”
— Nouman Jamil Hashmi, Senior Manager, Security Engineering, Delivery Hero

“Over time, I’ve become a proponent for opening your bug bounty program at the beginning. Hackers love to participate, especially if the code has not been tested. Once the code is complete and the engineers have done some testing, just put it out there and start with lower bounties. With the compounding attack, you’ll find something in the DNS or code, and that’s something no scanner can find.”
— Christopher Von Hessert, VP, Security, Polygon Labs

2. Customers Measure ROI Based on the Potential Cost of a Breach

The panelists were also in agreement that, while demonstrating the ROI of security can be challenging, bug bounty programs make the quantification and stakeholder buy-in easier.

“Money is always a hurdle for security. How do you explain that you’re doing a good job when nothing is happening? How do you quantify reputational damage or risk to customers? In Blockchain, our smart contracts hold money, so it’s easier for me to explain that if one of those is breached, this is exactly how much money is at risk.”
— Christopher Von Hessert, VP, Security, Polygon Labs

“A bug bounty program is the highest ROI program you can have. You're getting hammered by the best researchers. I'm really impressed by the skillsets of researchers across the board.”
— Shobhit M., Security & Compliance Director, Headspace

“The bug bounty program is the highest ROI across all of our spend. It’s really hard to show ROI, but with bug bounty, I have a baseline. I can say, ‘This vulnerability was able to be found by someone outside the organization. Someone that was not authorized to access this system was able to access it.’ Even with vulnerabilities that are not within our program, bug bounty allows me to put a price tag on them. I can explain this business case and our stakeholders are able to prioritize bug bounty higher than other tools that also generate ROI.”
— Eric Kieling, Head of Application Security, Booking.com

3. Bug Bounty Is Adaptable to Cope With Market Challenges

Amid shifting left, global teams, and the progression of AI; bug bounty programs and ethical hackers continue to catch crucial vulnerabilities.

“We’re trying to shift left. But those tools have limitations, and bug bounty is a way for us to find what is left in the cycle. When other tools are not able to find vulnerabilities, bug bounty allows us to find them.” 
— Eric Kieling, Head of Application Security, Booking.com

“When groups are operating in different countries, there are different platforms and threat scenarios, due diligence, etc., it’s a complex mix of many different security requirements. Since we kicked off the bug bounty program, we have been able to identify the low-hanging fruit, and we can go back and fix them.”
— Nouman Jamil Hashmi, Senior Manager, Security Engineering, Delivery Hero

“I love that the bug bounty program gives me visibility into things that I’m not aware of. They may not be the most interesting vulnerabilities, but to me, they’re very important because those are the unknowns in my company. Those are the things my scanners or even my SDLC are not looking after. The human factor is very difficult to overcome, and with the addition of AI, they’re going to be able to find crazy vulnerabilities that we probably would spend a year looking for.”
— Christopher Von Hessert, VP, Security, Polygon Labs

HackerOne is taking Security@ global. Find your nearest event.