Bug bounties have continued to grab headlines over the years – as evidenced by the fact that we’ve seen a 40% growth in program launches over the last year alone. As bug bounty programs move towards becoming more of a necessity (as opposed to a nice-to-have), it’s increasingly important to be aware of the nuances surrounding how to make a bug bounty program as successful as possible.
Running a successful bug bounty program starts well before the actual program launch, and is a continuous and iterative process. If you’re running the program on your own, or starting with a vendor, what core concepts and fundamentals do you REALLY need to know?
Here are Bugcrowd’s 5 tips and tricks for running a successful bug bounty program:
Tip #1: Get Buy-In Early
- This is crucial when it comes to running a successful bug bounty program. As noted above, a successful program actually starts well before it goes live. Getting internal buy-in all throughout, and from the top of the organization, is the best way to ensure all parties are aligned on the program goals and business needs – so that when the time comes to execute, all stakeholders are in agreement.
Tip #2: Owning your program
- Your bug bounty program can only ever be as good as the people running it. What this means is that if you’re running a program, it pays dividends on dividends to be invested in the success of the program yourself. From transparent interactions with researchers to quick response times, showing researchers that you take your program seriously is much more likely to result in their reciprocation. Working with your researchers and building those relationships is absolutely key to ensuring researchers not only participate in your program but also come back and continue to participate over time.
Tip #3: Don’t underestimate the power of scope and rewards
- Be aware of the fact that researchers have a litany of available options in terms of programs they can participate in at any given time. As much as they’re competing to be the first to find a given issue, you’re also competing with the other program owners out there for the researcher’s time and attention. To this end, when building out your program, always ask yourself “Is this something I would want to test against?”, “Would this program be fundamentally attractive to me, as a security researcher?”, “Does this program brief have all the information I’d need to be successful?”, and “As a security professional, are these rewards something that would incentivize me to invest time here?” If the answer to any of these is less than a resounding “yes”, then we need to go back to the drawing board until we feel it’s good enough.
Tip #4: Remember to set Expectations
- Expectations are everything. In building the program brief, we absolutely have to make sure that we’re setting proper expectations around scope, rewards, vulnerability priorities, timelines, etc – and then living up to those expectations once the program goes live. Any time there’s an issue on a program it’s almost exclusively due to a breach of expectations, where the researcher expected one thing, and the program owner did another. Clearly outlining expectations out the gate helps us avoid any problems later on down the road.
Tip #5: Have a plan
- Finally, and very similar to point #1, it’s key to know what the plan is for the program when certain things happen. For example, what happens when a high priority submission comes in? Or when there is a deluge of findings?, Or just more submissions than were expected? How will those situations handled, and what responsibilities fall tho whom? Having a plan in advance allows us to avoid the common pitfall where, after starting a program, the program owner then has to figure out the process as things go – which often results in a slow or unpleasant experience for researchers – which, as we’ve discussed before, we want them to have the best experience possible, so that they a) continue to test; and b) come back and test more over time. These plans don’t have to be perfect, as there’s definitely a learning curve, but having a framework is a whole lot better than just “winging it” when these situations arise.
So if you’re planning to start a managed bug bounty program at your organization, keep these tips and tricks in mind, and you’ll be well ahead of the curve.
For more information, check out our on-demand webinar featuring more tips and tricks for running a successful bug bounty program and what a successful program looks like from Cisco Meraki.