Today our CEO, Casey Ellis, and founder and attorney at Cipher Law, James Denaro stepped on stage at AppSecUSA 2016 to talk about the logistics and legalities of bug bounties. They talked through some of the most common concerns people have about bug bounties and discussed both ways to address those concerns, as well as implement liability controls.
What they really talked about, though, is risk and reward.
The increased adoption and accessibility of bug bounty programs, especially among larger, more mainstream organizations, goes hand in hand with improved awareness of their value. The volume, diversity, and quality of the crowd and vulnerability findings are unparalleled to most other security assessment methods. That having been said, concerns about the risks of running bounty programs–public or private–remain.
Here is a quick summary of a few of those concerns Jim and Casey addressed, and how to mitigate them.
Mitigating Commonly Perceived Risks:
If done properly, running a bug bounty program is about as “risky” as any other security assessment method, yet the benefits are great. Harnessing the power of thousands of skilled security researchers can have a major and positive impact on an organization’s security. This is why mitigating perceived risks is so important.
Putting a target on your back:
Your organization should operate on the simple premise that the risk of being vulnerable greatly outweighs the risks associated with running a bug bounty program. Granting permission for security research is a great way to receive more vulnerability findings, giving your organization more knowledge and control, and ultimately reducing risk.
Running a bug bounty program with a trusted partner is even better, as all community members follow a set of rules, outlining acceptable and unacceptable behavior. However, if the idea of opening up testing to the community-at-large is too much for your organization right now, you can run a private program with a select group of vetted researchers. The bug bounty model has adapted to meet the needs of companies with a wide range of risk tolerance. Read more about bug bounty model adoption in our State of Bug Bounty Report.
Too many unknowns:
There are options available to optimize the success of your program and minimize unknown variables. Decide how you want to run your program–private or public–then articulate what you do and don’t want to be tested by defining a clear scope.
According to a survey of those considering running a bug bounty, the number one apprehension was around budgeting. This is a logical risk that can be easily mitigated with a little guidance. Start with a small–private, on-demand or Kudos only–program and throttle your incentives throughout the lifetime of your program. Bug bounties don’t have to be “blank check” affairs–we can help you manage your budget from start to finish.
Unauthorized public disclosure:
Public disclosure incidents are extremely rare, but when they do occur Bugcrowd’s Researcher Operation Team handles it for you. More often than not, unapproved public disclosures do not include vulnerability details, they simply reveal the existence of a private program. An excited new crowd member tweeting that they’re receiving a reward from a private customer is typically resolved quickly and without conflict.
Additionally, for all private programs, Bugcrowd retains full liability for any unintended violations or infractions and have a generous business insurance policy to cover any damages.
In reality, many of the risks perceived by businesses, legal departments, and yes, CISOs, are simply that–perceived. Years of being taught to be afraid of hackers is much like our irrational fear of shark attacks. In reality, however, you’re statistically more likely to die from a coconut falling on your head than you are a shark attack. (it’s legit)
Be on the lookout for the recording of Casey and Jim’s talk, and flip through their slides here.