CISO Series on Today’s Critical Issues White Paper

Bug Bounty Programs

What is a Bug Bounty Program? Bug or hacker bounty programs go by several Consider structuring your program around the names including vulnerability reward program, flaw priority rating of the bugs found. You may feel you disclosure, and hacker crowdsourcing. They all want your bounty dollars to go only toward finding have one thing in common; they pay people for critical bugs and not those that pose an acceptable finding bugs in code. With few exceptions, risk. Funding for the program can also be programs pay cash for results. Once a bounty subsidized my marketing, as it is a way to promote hunter submits proof of a vulnerability and the your company as doing the right thing. company sponsoring the program validates, cash is Penetration Testing vs. Bug Bounty paid. Programs come in all sizes from small Programs software companies who rely on voluntarily bug finding to large companies like and Bounty programs have introduced an interesting that pay out millions of dollars annually. argument, should I reduce my security testing staff and essentially outsource my security testing Today, several thousand companies offer a bounty through a bug bounty program? In my experience, program. HackerOne maintains what they claim is my clients that have compared results of in-house the most exhaustive list of known bug bounty testing versus a bounty program has stated that programs. bounty programs were far more successful in How a program essentially works is you invite finding critical code flaws fast. The two main people to attempt to penetrate your network, web reasons are one, internal security testers do not sites, etc. If they find a vulnerability, they think like hackers and two, the shear metric tons of document the flaw, you verify it and then issue a hacker brainpower who are financially motivated payment based on the conditions of your bounty. to find bugs. Easy peasy. Penetration testing has become too bureaucratic with lawyers, contracts, rules of engagement, etc. I Bug Bounty Program Budgeting have seen many penetration testing projects take Budgeting for a bounty program is a risk-based weeks or months to negotiate all while a bug proposition. Ask yourself, what would it cost to fix a bounty program at similar companies finding bug in production versus development or testing? dozens of bugs in that same period of time. Now I Next, determine if that has ever happened, I am am not advocating eliminating penetration testing sure it has. Keep in mind that you only pay for from the mix, but rather that you consider it as an successes in a bounty program. How much does it essential strategy to fast-path security testing of cost to keep a team of in-house security testers public facing critical code. employed to find minimal bugs? Unique Bug Bounty Programs You can design a bounty program around any budget, even free, well almost – you still have to Bounties paid by companies can average from $200 pay for using the platform. Bounty hunters want to to $200,000; however, an average reported by make a name for themselves so some will work bugcrowd was $505.79. With a growing number of with programs that only provide kudos for finding bounty hunters and bounty platforms, companies bugs. This goes toward building their reputation are looking for ways to gain notice by the industry’s and goal of becoming a much sought after super top bug researchers. United Airlines for example bug hunter. offers frequent flyer miles.

1

The following are several bounty programs that Bugcrowd provides a template for branding your standout from the crowd: bounty page, handles bounty payment, performs bug reporting triage and validation as well as Company Bounty provides comprehensive reporting on your $200,000 for highest program. Apple category of bug – secure boot firmware bugs. Bounty programs are effective and indispensable to Donations to charities in your SDLC or DevOps operations. HackerOne and Google conjunction with bounties. Detectify are two other bounty platforms you may Pilot bug bounty program wish to compare to bugcrowd. Bounty Factory is a of $150,000 for hackers in European-based platform that focuses on EU rules Hack The Pentagon return for the and regulations related code flaws. vulnerabilities they find in If you are just looking for a list of bug bounty its public facing websites. programs, checkout bugsheet. This site offers a Payments made in curated list of over 370 programs offering a Kraken bitcoins. collective 150 bounties. Submit a chain of bugs to Netgear receive a bonus. Evolution of Bug Bounty Programs PayPal Payments made to a Bounty programs have been around for many PayPal account. years. Jarrett Ridlinghafer while working at Hacker loyalty reward in 1995 established the first bounty program and bug treasure program. He also coined the phrase “Bugs Bounty.” map. Programs have progressed from casual in-house 50,000 to 1 Million award programs to sophisticated managed programs United Airlines miles. attracting only the highest profile bug hunters and everything in between. Bounty hunting has become an industry with providers ranging from I suggest you work with your organization’s hunters who just triage code with vulnerability marketing department to come up with a unique scanners looking for low hanging fruit counting on and noticeable bounty payment to attract the best the fact the sponsoring company never bothered to bug researchers. You certainly do not want to do scan their own code to professional bug what Yahoo did in 2013 and offer t-shirts to bug researchers. hunters for finding critical bugs in their code. This touched off such a hail of negative press against Bounty hunting has also created a new breed of Yahoo the press referred to the incident as t-shirt super hunter who devote their full-time energies to gate. So a word to the wise, really think through finding bugs as a profession. what message your bounty program sends. What Type of Bugs are Found? Bug Bounty & Disclosure Programs Bugcrowd reports the following types of critical A great way to model your bug bounty program is bugs found by their researchers: to view what other organizations have implemented. Thanks to bugcrowd and HackerOne, you can view nearly 2,000 with just a click of your Mobile_Net 0.30% mouse. Bugcrowd maintains an updated list on bounty and disclosure programs with direct links to SQLI 1.30% respective program sites. Clickjack 2.90% Think of this as security crowdsourcing of thousands of white hat hackers and professional CSRF 8.20% security vulnerability researchers. XSS 19.90% Bugcrowd can manage your program through a number of programs ranging from public (collective Other 67.70% of thousands of hackers and researchers), private (invite only researchers) or on-demand (project- based invited researchers). 2

Bug Bounty Program Tips 1. Brand your program – marketing matters and bounty programs attract public attention. 2. Make your program payout unique – you want to attract the most experienced bug hunters. 3. Use a commercial bounty program management platform – do not reinvent the wheel. 4. Clearly document the types of bugs you are willing to pay – ambiguous hunter instructions leads to wasted time and money. 5. Scan your code before releasing it for bounty – you do not want to pay for bugs you should have caught. 6. Structure a loyalty program to attract the best bug hunters – build a rapport with your star hunters. 7. Integrate the bug bounty in DevOps – focus on finding bugs in development. 8. Carefully document dupe flaws – the fastest way to tank your bounty program is to issue the kirk response “dupe” without proof. 9. Expect poor submissions – over 90% of bounty programs will have little to no value, many researchers do not read the bounty guidelines. 10. Expect your network probing – once the bounty is announced, researchers will start probing your network. Author Conclusion Bug bounty programs are a great strategy to include in your arsenal of secure coding and testing processes. They provide a vulnerability perspective that in-house programs typically cannot. These Tari Schreider – C|CISO, CHS-III, CRISC, programs are ideal for due diligence and fast- ITIL™ v3, MBCI, MCRP, SSCP pathing testing on highly visible and critical web Chief Cybersecurity Strategist & Author sites. Invitation only bounties have approximately Prescriptive Risk Solutions, LLC. twice the success rate as public bounties due Atlanta, GA - Cheyenne, WY primarily to the quality of the bug researchers www.prescriptiverisksolutions.com attracted, but they do cost more. Overall, this is [email protected] something to consider in your mix of cybersecurity M: Atlanta – 678.595.2818 program practices. M: Cheyenne – 307.215.1330

The Manager’s Guide to Cybersecurity Law 3