Google recently announced that the company has raised its top reward for remote code execution bugs in its Google, Blogger and YouTube domains by 50 percent, saying “Because high-severity vulnerabilities have become harder to identify over the years, researchers have needed more time to find them. We want to demonstrate our appreciation for the significant time researchers dedicate to our program.”
This is a natural evolution to a bounty program and really a sign of a program’s health. However, what most don’t realize, are the various complexities that go into determining when the right time in adjusting bounty payout ranges. A bounty program is a fantastic means to ensure continuous risk measurements – and mitigation – against a platform. That being said, a majority of self-run programs end up stalling out, losing researcher participation and confidence.
This is also why managed bug bounty programs have become the new norm. At the start of a program, most organizations – regardless of size – become quickly overwhelmed; defining scope, defining disclosure inputs, identifying program security owners, establishing a vulnerability management program, and even determining time-to-fix agreements within that program. And this doesn’t even address how to establish attractive payout ranges, setting up an efficient triage and validation process – much less attracting a solid crowd of researchers to actively participate.
On top of all this, we refer back to the original statement in this article about the how and when to even raise the bounty payouts. Bottom-line, is that programs are complicated to start and become more complicated as they mature. What is the best way to engage the research community? How do you keep them consistently interested in your program? Are there means to incentivize them? And inevitably, as noted, when do I scale up my bounty rewards?
By utilizing the expertise acquired while managing hundreds of programs, organizations that work with a trusted partner ensure they are getting the most out of their bug bounty programs. Not only at the outset, but also over time to ensure the long-term assurance value of bug bounties.
With four years’ experience managing bug bounty programs we’ve learned the following:
Start off on the right foot
When scoping a program initially it’s important to underscore just how critical the scope is for the success of a program. In its simplest form, the scope tells the researchers what they should and should not test – which is critical to getting the results you want from your bounty program. This extends to pricing targets, as well. Put yourself in the researchers’ shoes. You know how much a particular vulnerability is worth to your company – that’s how much you should pay for it.
Define what is a bug’s worth
What is a bug worth? This is one of the most important questions an organization needs to ask when creating a successful scope and it varies depending on the organization, its targets, and in some cases, on the size its security team. As more and more companies align their business and security goals with their crowdsourced security programs, we’re beginning to see a general increase in motivation and activity amongst the crowd. By taking a critical look at and evaluating the business impact of the potential vulnerabilities as well as looking at the marketplace for bugs an organization can correctly define what a particular bug is worth at any point in time (it can and does change). This leads to the next point.
The right price at the right time
The security maturity of an organization is a critical factor in determining how to reward a vulnerability. An organization with a more mature security program has security-focused processes in place, and thus, vulnerabilities require more time and effort to find. For these programs, we also encourage defined program rewards for vulnerability types based on priority.
Google’s recent increase as well as 1Password’s 300% increase on their highest reward (to $100,000) demonstrates that organizations are really starting to think about the market and where the market is pricing vulnerabilities. But remember that it’s important to increase rewards as they make sense to your security organization. Taking a “crawl, walk, run” strategy is the best way to ensure your program grows the right amount at the right time. Jet.com is a great example of this measured approach from a private to public program and increasing rewards when it made sense for them.
Creating a competitive program
The bug bounty market is growing quickly creating competition between programs. Without the proper guidance many organizations will struggle to make their programs stand out and will lose the race to get the best researchers. But staying competitive isn’t all about big cash rewards. A wide scope with interesting targets will always attract talent. Don’t underestimate the power of a coordinated disclosure program. For the majority of researchers public disclosure can be a form of prestige– expressing the skill or knowledge it took to find something noteworthy. It can also be an educational tool–teaching peers about vulnerabilities found in the wild, or consumers about their risk. Being able to disclose vulnerabilities can also provide career opportunities and community klout for individuals just getting started.
Don’t underestimate the power of marketing your bug bounty program. Many organizations use their bug bounty program as an opportunity to demonstrate their security posture. Increasing rewards is a great way to demonstrate just how seriously you take your organization’s and your customers’ security.
While the market continues to evolve, the key to success remains the same: attract the best researchers to find your vulnerabilities before adversaries can take advantage of them. How do you attract the best talent in a bug bounty? The same way you would if you were hiring a full time employee or contractor: fair and competitive payment.