If You Can't Beat 'Em, Join 'Em: Tips For Running a Successful Bug Bounty Program

Presented at BSides Austin 2016, April 1, 2016, 4 p.m. (60 minutes)

***While the persons involved in this talk are currently employed by Bugcrowd, this presentation is intended to provide universally applicable insights into running a bounty program, and is in no way intended to be a tool for selling Bugcrowd's services.*** -------------- Having a bug bounty program is one of the most cost-effective and productive methods of finding security vulnerabilities today. Bug bounty programs provide substantial value in terms of findings, only require payment for valid results, and bring a level of depth via manual testing that goes beyond the capabilities scanners and other traditional pen-testing tools - often serving as a valuable complement to automated testing. But, as anyone who has tried to run a bug bounty program knows, it's no simple or small undertaking... As professionals who have helped to create and manage hundreds of bug bounty programs, we're uniquely positioned to cover key bounty concepts, and provide advice on how to run a successful bug bounty program. Whether you're already running a bug bounty program, looking to run a bug bounty program, or are a researcher who participates in programs, this talk aims to deepen your knowledge of the subject. The talk will be broken up into two parts: 1) The first segment will cover setting up a bug bounty program, including specific tips/guidance for creating a successful program. Having setup and run a range of bounty programs - some requiring more work than others - these are some invaluable insights into what it takes to make a program successful. Some of the key concepts and questions that will be covered include (but are not limited to): Scoping - how to focus researchers on the targets that matter to you. What considerations should you make when setting your scope? Compensation - how much should you pay, and what does that get you? Public vs. private bounties - is this open to the world, or only a select group? Managed vs. self-managed - are you planning on processing all the vulnerabilities yourself, or do you plan to outsource the initial processing of submissions? Getting the most out of your program - thoughts on what should be in/out of scope, standard exclusions, and other information to provide researchers with everything they need to be successful. Your promise to the researchers - response times, communication, and public disclosure. What do you bring to the table? Researcher engagement and participation - how do you keep researchers engaged and participating in your program? Access, etc - how will researchers be testing your app? Credentials/access/etc? 2) The second segment will cover the validation and processing of researchers' submissions. Using the experience we've gained from having processed tens of thousands of researcher submissions, we will provide insight into the back end of security operations for a bug bounty program. Key topics include: Tips for evaluating researcher submissions - anyone who has done a bounty, knows the submission volume can be overwhelming at times. How do you deal with and process these submissions? What makes up a good report? - some thoughts for researchers, on how to write quality submissions. Communicating with researchers - how do you communicate with researchers, deal with unhappy researchers, etc? Thoughts on recommended vulnerability priority ratings - what priority level and payout should you give for any given vulnerability? Working with a team - some real-world learning experiences and tips for working as a team and applying those lessons to issues as they arise. And of course, some classic submission horror stories… By the end of the talk, attendees will have a behind-the-scenes understanding of how to successfully setup, run, and participate in a bug bounty program.

Presenters:

• Daniel Trauner
• Grant McCracken
  Both occasional bounty hunters themselves, Dan and Grant work for Bugcrowd (a crowdsourcing bug bounty platform), helping run and manage client's bounty programs. Together, they've worked on hundreds of bounty programs, processed thousands of submissions, and have a litany of valuable insights to share in the world of bug bounties. Grant works as a Technical Account Manager, helping create successful bounty programs, and Dan works as an Application Security Engineer who helps process and validate incoming submissions to bounty programs. Together, they cover virtually all aspects of running a bounty program. They enjoy attending Defcon parties, and clicking buttons.

Links:

• https://bsidesaustin2016.sched.com/event/6Dt4/if-you-cant-beat-em-join-em-tips-for-running-a-successful-bug-bounty-program

Similar Presentations:

• DeepSec 2020 „The Masquerade“ / Scaling A Bug Bounty Program
• AppSec USA 2016 / If You Can’t Beat ‘Em Join ‘Em: Practical Tips For Running A Successful Bug Bounty Program
• ToorCon San Diego 20 (2018) / Bug Bounty Hunting on Steroids