Managing Your Crowdsourced Security Program for Success

A growing number of organizations across various industry sectors are adopting crowdsourced security, making it clear that this model is no longer just the future of cybersecurity – it is the here and now. Crowdsourced security is driving organizations to become more productive – and even creative – with their security programs.

But if you’re thinking about, or are already running a crowdsourced security program, there are a number of important considerations and elements of planning that go into the successful execution and management of a program. Most notably, identifying, defining, and establishing the following:

1. Objectives and scope for the program
2. Logistics for researcher access/authentication
3. Implementation and location of the program
4. Internal stakeholders and cross-functional program owners
5. Internal processes for the management and remediation of vulnerabilities
6. Attractive/industry standard payout ranges
7. An efficient triage and validation process
8. Logistics for payouts and researcher communications
9. A plan for attracting and engaging with participating researchers
10. A plan for growing the program to a mature state over time

And depending on the answers to some of the questions above, the list can go on and on…

To help with the above (and a whole lot more), Bugcrowd provides the most robust and engaged solutions teams in market today, with several layers of resources working together to ensure both customer and researcher success. With extensive experience in enterprise security and hacker community engagement, each team’s (Solutions Architects + Researcher Success + Customer Success) abilities are further augmented by a variety of features within our Crowdcontrol platform – all of which are designed to standardize best practices, while simultaneously setting clients and researchers up for a meaningful and successful program.

At Bugcrowd, we’re committed to ensuring you are fully-equipped and enabled to operate a world-class program. With this in mind, over the coming weeks and months we’ll be launching a new blog series around best-practices and how-to’s, in an effort to help guide you along the journey of getting into, and reaping the benefits of crowdsourced security.

To kickstart Bugcrowd’s best-practice series, here are a few common definitions to keep in mind.

• Crowdcontrol is the official name of Bugcrowd’s platform that can be found at https://tracker.bugcrowd.com. This is the portal where you (as a program manager) will setup, monitor, and manage your program on Bugcrowd.
• The Program Brief is a single page, researcher-facing document that contains all the relevant information regarding your bounty program (what’s in/out of scope, rewards, how submissions will be rated, instructions for accessing or testing the targets(s), etc). For examples of current public bounty briefs, please visit https://bugcrowd.com/programs. During the onboarding process with Bugcrowd, this document will be a collaborative effort that will be built in direct conjunction with your Solutions Architect to create a concise and effective program brief.
• A Payout is the money paid to a researcher once their vulnerability submission has been accepted by you, the program owner. In a bug bounty programs, this amount always correlates back to the specified reward amounts documented on the program brief.
• Kudos Points are a form of non-monetary compensation that is awarded (or in the case of out-of-scope reports, deducted) for submissions from the researcher. Depending on the severity (and consequently, the priority) of a finding, a submission will receive greater or fewer points. The aggregate of these points is then publicly displayed on researcher profiles, as well as leaderboards – creating a ranking/status system within the community.
• A Submission is simply another term for a vulnerability report submitted to a given Bugcrowd program. A good submission will include a description of the issue, a relevant title, easy to follow reproduction steps, and any useful documentation to support the finding (screenshots, etc).
• Triaging is the process of validating a submission from a new state, ensuring it’s valid, in scope, not a duplicate, and contains sufficient information/replication steps to be consumable by the client. The process of triaging reports on the Bugcrowd platform is handled entirely by our Security Operations team – ensuring that you only ever see valid, in-scope, unique, and easy to digest reports.
• Bugcrowd’s Vulnerability Rating Taxonomy, or ‘VRT,’ is the basis by which we rate the technical impact of findings, and thereby assign relative priorities that range between critical (P1 – where these findings get the highest reward amounts), to informational (P5 – which receive no reward). This taxonomy is routinely reviewed and updated as new threats and vectors emerge, and has been built off the combined knowledge gained from running hundreds of bounty programs over the years. It’s an invaluable document that clearly sets expectations for both clients and researchers, and makes everyone’s life infinitely more simple by not having custom rating taxonomies for each an every program. This in mind, the VRT may be modified to your individual needs as you see fit, but on the whole, we find that the ratings expressed in our taxonomy mirrors the general industry sentiment of clients and program owners. The VRT can be reviewed in full here: https://bugcrowd.com/vulnerability-rating-taxonomy 

For more definitions, check out our glossary at https://www.bugcrowd.com/resources/glossary/

And keep an eye out for more best practices and how to’s over the coming weeks and months.