.jpg)
29 March, 2017
Security industry best practice encourages organizations to adhere to secure development lifecycle (SDLC) principles by embedding security measures in all stages of code development. However, even the most diligent adherence to SDLC principles will not eliminate all vulnerabilities.
Initiatives that reward the public for uncovering vulnerabilities in websites and software, known as bug bounty programs, are fast becoming successful common practice with companies like Facebook, Google and Microsoft. Without a bug bounty program, organizations run a higher risk that there will be more incidences of hackers or security researchers trying to extort or blackmail them if they discover a vulnerability, risking both financial and reputational harm. Crowdsourcing the hunt for overlooked flaws is a cost-effective and controlled way to ensure that your organization is doing all it can to strengthen the security of its code.
Inviting hackers and security researchers to find flaws in your product does comes with risks, so it’s important to design and implement bug bounty programs carefully to ensure safe reporting, quality submissions, and smooth execution. The following tips highlight considerations to help you develop the right program to achieve your company’s vulnerability hunting goals.
Have the right resources in place to execute the program
The foundation for a successful bug bounty program is preparation, specifically having processes in place and the right resources to carry them out effectively. A few important areas to focus on are:
Sufficient staff. Make sure you have sufficient resources within your team to address and manage the queue of fixes to vulnerabilities identified through the program. This should also include staff who can quickly validate submissions and accurately prioritize fixes based on the level of security risk.
Vetting duplicates. Have a process in place for vetting vulnerabilities that have already been reported to avoid duplicative entries in defect tracking systems. Not only will this provide a better experience for the bounty hunters but also it will help prevent you from having to pay for the same vulnerability twice.
Language skills. You will need the ability to communicate in different languages with the researchers and hackers who find the vulnerabilities, as English may not be their first language. With money and security at stake, clearly understanding the vulnerability they are describing is important.
Coordination. Work with your security operations team to make sure they can differentiate between a bounty hunter and an attacker who is not part of the program. Their focus should remain on identifying malicious threats.
Price bounties thoughtfully
Certain factors will impact the value a company assigns to vulnerabilities. For example, some people may argue that a bug found on Facebook or Google may be worth more than the same vulnerability found on a small or medium sized company’s website or product. Another factor to consider when pricing is the level of security risk posed by the particular vulnerability, which many companies address by instituting a sliding scale.
On the other hand, putting too high of a price on a vulnerability risks incentivizing ‘bad’ developers within the company to write insecure code and then tip off a friend to report the bug and split the bounty. Assigning value and criteria for payment is a balance between being generous enough to motivate skilled hunters for high-quality submissions while not incentivizing dishonest behavior and being reasonable enough that it’s still cost-effective and you’re not overwhelmed with low level submissions.
Choose the right crowdsourcing approach
There are different levels of crowdsourcing you can employ in a bug bounty program. Opening the program up to everyone on the internet is likely to produce a high volume of submissions that can lead to faster results. However, you will need to be sure you have the internal resources to sift through the noise to find the quality submissions and, more importantly, skilled resources to monitor the activity to differentiate between bug hunters and malicious attackers. A better option for many companies is to use a select group of familiar researchers who are more experienced and can reliably provide actionable intelligence.
Good bug bounty programs require considerable internal resources to design and implement effectively. If your company does not have available resources you can hire external vendors to manage the program on your behalf. Instituting a bug bounty program is a responsible and effective step to strengthen a company’s cyber defenses and protect its critical assets.
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg
pjackson@strozfriedberg.com
Bill Sims, Managing Director, Stroz Friedberg
bsims@strozfriedberg.com
