In our web event “Getting Vulnerable”, we brought together program managers Jill Moné-Corallo from GitHub, Garrett McNamara from ServiceNow, and Ansgar Pfeifer and Matthew Bryant (aka Mandatory) from Snap, along with top hackers from GitHub and ServiceNow’s programs @rijalrojan and @man4bob. We welcome you to view the webinar on-demand here or read our key takeaways below.
Key Takeaways for Program Managers:
Communication and Engagement are Critical.
Hackers emphasize the importance of clear and consistent communication to keep them engaged - and a sustained decrease in responsiveness can cause hackers to stop spending time on a program. Understanding the motivations of hackers (reputational, monetary, etc.) can help incentivize participation, but communication is vital in ensuring both parties get the most out of the relationship. Best practices include direct discussions about specific bugs, providing a reason when reports are downgraded in severity, maintaining a regular dialogue with the hackers in your program, and fostering opportunities for top hackers to meet program managers at events.
- “The main reason I’ve decided to leave programs in the past has been the communication side of things. If the platform or product is challenging to hack on, I will always love hacking on it, but if the communication and triage times get worse, I tend to slow my reporting. Sometimes people leave a company and a new person comes in and changes how they triage and respond to hackers, and if it changes drastically I will leave.” – @rijalrojan
- “It’s good to hear some validation that the communication side is as important as we say it is internally. There are very similar mindsets between everyone involved - the people triaging reports and the hackers submitting them.” – Mandatory, Snap
Regular Evaluation and Adaptation of the Program Keeps Hackers Engaged.
In a world with thousands of bug bounty programs, hackers get to choose where they spend their time. To stay competitive and attractive to hackers, program managers should continually analyze their vulnerability trends, their bounty table, and how they compare to other programs. GitHub, ServiceNow, and Snap highlighted exercises like expanding scope based on mergers and acquisitions activity, raising rewards over time as low-hanging vulnerabilities are picked off, and running promotions to align with product releases or newly discovered vulnerabilities.
- “We do a quarterly review and look at trends in our program, and we also review against other programs to make sure that we are staying competitive.” - Jill Moné-Corallo, GitHub
- “Something we’ve done in the past is to create promotions where we add new things to our scope or pay a bonus for certain vulnerabilities like Log4j. We’ve seen a high rate of success and an increase of submissions related to those efforts.” – Ansgar Pfeifer, Snap
The Importance of Disclosures and Reputation.
Most program managers and hackers view public disclosure as a win-win situation: the disclosing researcher gains recognition for their work, and the company gets free advertisement for their bug bounty program. Collectively, the emphasis is on creating an environment of trust where hackers feel comfortable to disclose their findings in collaboration with the program managers, and where companies see disclosure not as a highlight of their flaws, but a testament to their security posture. This is one characteristic that makes the cybersecurity realm so unique - even industry competitors share vulnerability intelligence, in hope of making the entire internet a little safer.
- “I love doing blog posts for fun or exciting vulnerabilities that I find. With GitHub, the vulnerability I found in December was exciting because it ended up impacting the GitHub platform itself. I asked the GitHub team and got their permission in April to disclose it. It helps from the reputational and brand point of view as a hacker, to showcase the vulnerabilities you’re finding.” – @rijalrojan
Key Takeaways for Hackers:
Actionable Reports Are Better for Everyone.
Hackers that provide actionable vulnerability reports can position themselves as long-term partners for program managers. Ensuring your reports are detailed and easy to understand helps your reports get triaged, remediated, and rewarded quicker. Best practices are to include all the necessary details, clear formatting, videos, or any other information that makes it simple for the program team understand how to reproduce the hacker's actions. Finally, when a hacker can dictate the impact of the bug and how a malicious attacker could abuse it, it helps the program manager defend the severity score internally.
- “You as the hacker know what you're doing on the other side of the screen. We're trying to piece together your process with what you give us in the report. Make it visually easy for us to follow your steps to reproduce the bug. Load us up with any and all detail you can give us.” – Jill Moné-Corallo, GitHub
- “When writing a report, don’t leave anything out. When we’re reading each report, we’re trying to determine the impact of the bug if a malicious person abused it. If the researcher can clarify ahead of time that this report is for an IDOR, I tested it like this, enumerated the IDs like that, here was my HTTP request, then we can assess the impact quickly and reward bounty on triage.” – Mandatory, Snap
Build Trust with Program Managers.
Despite the trend of “zero trust” buzzwords, this industry relies on trust. Hackers can build trust with program managers by communicating clearly and professionally, staying within scope and policy, and connecting with program managers at events and conferences. Program managers are often looking for anchor hackers who display the above characteristics, and these hackers are the first choice for VIP or special access programs.
- “Another thing we’re doing with some of our most helpful researchers is to give them premium accounts for new technologies we’ve acquired that we want to add to the bounty program scope. There’s a little logistical lift to get that going, but we have good data on who’s really active on our program and who is informed on our platform technology, which is a great place to start for us and for the researchers.” – Garrett McNamara, ServiceNow
- “ServiceNow actually gave me an opportunity to meet the team back in 2019 at a conference in Las Vegas. It was wonderful meeting with the team and I learned a lot from them.” – @man4bob
Templates Enable Efficiency.
Nuclei templates emerged from this conversation as an unexpected takeaway, both for hackers and for program managers. From the hacker side, these templates make it simple to document their work and test each bug across a wide range of hosts. For program managers, receiving a report that includes a template or script enables easier reproduction of the bug across their environment. With both sides of the table speaking a similar language (YAML, in this case), reproduction and bounty payout can happen faster.
- “There were cases where I found multiple hosts to be vulnerable in slightly different ways. So each host was disclosing admin API endpoints without authentication, and there was a specific way I was identifying all those at scale for that company. I ended up attaching a Nuclei template and a script I wrote to auto-exploit the vulnerability and then write a report for me. The template and script I provided helped them find all the instances of that vulnerability in their environment.” – @rijalrojan
This conversation between hackers and bug bounty program managers illustrated the importance of communication, reputation, and adaptability in this field. We are immensely grateful to all the participants for their candid reflections, and we hope that this discourse will encourage further collaboration and exchange of knowledge between hackers and program managers. Our final takeaway is this evergreen quote from Jill Moné-Corallo: “At the end of the day, we're all humans on each side of the computer.”