Operating a bug bounty program may seem intimidating to a newcomer, but the reality is even a smaller firm can successfully create and run one with the end result being a stronger and safer product.
Adam Ruddermann, practice director, bug bounty services for NCC Security, in a talk at what was part of the inaugural bug bounty summit held at Black Hat gave a run down on some of the basics that an organization needs to have in place to have a functional program. The most important and first step that needs to be taken is dispensing with some of the basic fears associated with actively recruiting people to find flaws in a product or service.
This particularly comes to light when a severe problem is disclosed and finds its way into the news. Ruddermann said many companies worry about what the world at large will think.
“Bug bounties are opportunities, not risks. It is a time when you can demonstrate an organizations commitment to improve and make the internet safer,” he said.
However, before this point is reached there are several structures that need to be put in place by the company.First is deciding whether or not to make it a public or private bug bounty program and how to integrate it into a regular vulnerability disclosure program (VDP). Ruddermann said a bug bounty program and a VDP have many similarities, but are really two different animals with the latter having a monetary incentive attached.
For most companies a public program will work fine, but a private set up, which entails reaching out to a specific group of researchers, can be better for testing a specific piece of software. The goals and scope of the program must also be set with some opting for a limited run program for a certain project or to simply leave it broad and open ended.
Once the decision is made to move forward a channel has to be created for bounty hunters to contact the company with their findings. Ruddermann said this can range from posting an email address to having a submission form online.
Other factors that have to be taken into consideration once bugs are being reported is how to deal with them internally. People have to be assigned to accept the finding, prove it is truly an issue, triage and then fix the issue and finally push it through to be resolved.
While these steps are being taken, it’s important for the company not to lose touch with the hunter. Rudermann pointed out how vulnerable these people can feel as the bug they found percolates through a company’s system. He believes regular communications with the finders is extremely important and could stop them from going public with the bug they found before the company is ready.
This communication can be as simple as a form email that just notifies the hunter that they have not been forgotten and that the company will be in contact with them shortly. Also, letting the person know it’s ok for them to get in contact with the company to discuss any fears.