Bug Bounty
Bug Bounty
Bug Bounty
BUSTED
7 BUG BOUNTY
MYTHS, BUSTED 1
Utilizing the power Attackers only need to exploit one security flaw to compromise an
organization, while organizations must be able to defend against
of the crowd through all potential flaws. Security teams are resource constrained;
hackers aren’t.
Bug bounties harness the power of a crowd to augment your
7 BUG BOUNTY
2 MYTHS, BUSTED
The bug bounty model, although incredibly powerful, is still
Busting 7 common
bug bounty myths
continuing to gain traction and overcome misconceptions.
In this guide we will address seven of the most common myths
we’ve heard surrounding the bug bounty model.
1 2 3 4 5 6 7
All bug bounty Only tech Running a Bug bounties They don’t They’re too Bounty
programs are companies run bounty program don’t attract yield high-value costly and hard programs are
‘public’ bug bounties is too risky talented testers results to budget for too hard to
manage
7 BUG BOUNTY
MYTHS, BUSTED 3
Myth #1: All bug bounty programs are ‘public’
False. Today, the majority of bug bounty programs are invite-only programs.
Since 1995, bug bounty programs have offered organizations a radically improved method for vulnerability discovery. Organizations such as Google, Facebook, Microsoft
and others revolutionized application security by launching public bug bounty programs. Bug bounties have come a long way from these initial public, open-to-anyone
contests that were popularized by those tech giants. The biggest change in the bug bounty model has been the addition of private programs.
150
Who can participate in private programs?
Bugcrowd has a large, skilled crowd of global security researchers coming
from all walks of life, and varying degrees of experience in security research
and bug hunting. Anyone can sign up to become a Bugcrowd researcher
100
to participate in public bug bounty programs. As bug hunters submit bugs
to public programs, climb the ranks within the community, and prove their
1
Private Program Launches trustworthiness, they may gain access to private programs.
50 Public Program Launches
Bugcrowd researchers are vetted and measured in four areas–activity, quality,
impact, and trust. Only the top performers who have proven their skill and
trustworthiness receive invitations to private programs.
7 BUG BOUNTY
4 MYTHS, BUSTED
Myth #2: Only tech companies run bug bounties
False. The bug bounty model has evolved to be effective and flexible for organizations of virtually any size or type.
While they have been used for over 20 years, widespread adoption of the bug bounty model by enterprise organizations has just begun to take off within the last few.
Private and public bug bounty programs provide an opportunity to level the cybersecurity playing field—by arming complex organizations with the strength and expertise to
combat constant external threats. Companies of all sizes, and from all industries can now realize this advantage.
Our public programs run the gamut from B2B technology companies such as
Barracuda and consumer Internet companies such as Pinterest to companies TODAY OVER 25% OF BOUNTY PROGRAMS ARE LAUNCHED BY MORE
in more conservative industries such as Western Union in financial services TRADITIONAL VERTICALS SUCH AS FINANCIAL SERVICES.
and automotive manufacturers such as Fiat Chrysler Automobiles. The History of Bug READ
Bounties: Abbreviated Timeline from 1995 to Present
MORE ABOUT THE HISTORY AND EVOLUTION OF BUG BOUNTIES.
Why are private programs spearheading this diversification? Early Bug Bounties Breakthrough in Bug Bounties Modern Bug Bounties
Beyond just public programs, private programs have been instrumental in the
broader adoption of the bug bounty model. They have allowed a wider range
of organizations to utilize the bug bounty model for various reasons:
1995
• Ability to invite only the most trusted and vetted researchers, including ID
or background checked researchers when necessary
2002
• Focus testing more narrowly based on specific skill sets
• Organizations with lower risk tolerance may utilize a private crowd to get
buy-in from internal legal and procurement departments more easily 2004
2
• Limit exposure to personally identifiable information
• Test applications that are not publicly accessible 2005
Learn more about the different uses for private and public programs. 2007
© BUGCROWD INC. 2016 2010 2011 2012 2013 2014 2015 2016
7 BUG BOUNTY
MYTHS, BUSTED 5
Myth #3: Running a bounty program is too risky
False. With a trusted partner, running a bug bounty program is no more risky than other, traditional security assessment methods.
Although the bug bounty model is gaining steady traction, many organizations are still concerned about ‘putting a target on their back.’ Simply put, these perceived risks are
tied to the volume of external testers and the level of control that can be retained.
Your organization should operate on the simple premise that the risk of being vulnerable greatly outweighs the risks
associated with running a bug bounty program. Granting permission for security research is a great way to receive
“YOU CAN VERY WELL QUANTIFY AND CONTROL more vulnerability findings, giving your organization more knowledge and control, and ultimately reducing risk.
FOR THE RISKS AND REWARDS OF USING THE
CROWD, SUCH THAT IN THE END, THE LEGAL
EXPOSURE THAT AN ORGANIZATION HAS FROM
How does Bugcrowd mitigate the risks associated with running a bug bounty program?
USING THE CROWD IS BASICALLY THE SAME AS Running a bug bounty program with a trusted partner lowers potential risk, as all community members follow a set of
IT WOULD HAVE FROM ANY OTHER MEANS OF rules, outlining acceptable and unacceptable behavior. However, if the idea of opening up testing to the community-
at-large is too much for your organization right now, you can run a private program with a select group of vetted
PEN TESTING THAT YOU MIGHT TRADITIONALLY
researchers. The bug bounty model has adapted to meet the needs of companies with a wide range of risk tolerance.
BUY FROM A PEN TESTING PROVIDER.” Read more about bug bounty adoption in our State of Bug Bounty Report.
3
with Bugcrowd’s Standard Disclosure Terms which outlines acceptable and unacceptable behavior. In the event
THAN .0005% OUT OF ALL SUBMISSIONS of a public disclosure incident–although rare and usually unintended–our team reaches out to the crowd member
to ask them to remove the public information and notify them of the consequences of unauthorized disclosure. We
reserve the right to issue a warning and/or removal of access to elements of the Bugcrowd platform on a temporary or
permanent basis depending on the severity of the violation.
Organizations also have the option to run private programs to utilize strictly vetted and trusted researchers.
7 BUG BOUNTY
MYTHS, BUSTED 6
Myth #4: Bug bounties don’t attract talented testers
False: Many of our bug hunters are the most talented security researchers in the world, and many are full-time security professionals.
Although in public bug bounty programs there is no way to verify the combined talent or skill being utilized at any given time, the bug bounty model leverages volume
to increase the quantity of skilled people being applied, and based on experience the volume of high-value results radically improves as a result. For our customers who
require a more refined crowd with specific skill-sets, we run private programs with a skills-vetted and trusted crowd.
4
Get the report, Inside the Mind of a Hacker, to learn more about their motivations.
7 BUG BOUNTY
7 MYTHS, BUSTED
Myth #5: They don’t yield high-value results
False. Bug bounties help organizations uncover high-quality vulnerabilities missed by traditional security assessment methods.
It’s important to remember that the majority of organizations that we’ve helped run bug bounties have already had robust security testing programs in place, including
automation and penetration testing, but we still find solid results, and usually within the first 24 hours.
5
ON AVERAGE, A P1 VULNERABILITY, THE MOST In the past several months the average priority across all vulnerabilities has increased as more complex targets are
SEVERE BUG, IS SUBMITTED EVERY 27 HOURS. tested, the community of bug hunters learn and improve, and more talent is attracted to the Bugcrowd community.
LEARN MORE ABOUT VULNERABILITY PRIORITY IN OUR VRT
Read the State of Bug Bounty Report to see the breakdown of vulnerabilities by criticality and type.
7 BUG BOUNTY
8 MYTHS, BUSTED
Myth #6: They’re too costly and hard to budget for
False. You can control your bug bounty budget, and we help make the best suggestion for your organization.
While the bug bounty market continues to evolve, the key to success remains the same; to run a successful bounty program you must attract the right researchers. Often,
attracting the right talent includes offering rewards. Without guidance, offering rewards and managing a budget for a bug bounty program presents organizations with a set
of unknowns–a legitimate concern that can be easily mitigated with the support of a trusted partner.
Bugs start in development, and yes, finding a bug in the wild is more expensive to fix than it is in development. There
is no such thing as 100% secure code–vulnerabilities will always get past vulnerability scanners, your team, and yes,
your penetration test firm of choice. Bug bounties catch those bugs, but they don’t have to be “blank check” affairs– “EFFICIENCY AND EFFECTIVENESS OF THE CROWD
we can help you manage your budget from start to finish. IS REALLY WHY WE BRING THEM ON… BECAUSE WE
HAVE THE CROWD INVOLVED IN THE VULNERABILITY
How can I manage the costs throughout the lifecycle of my program? MANAGEMENT PROGRAM, IT’S HELPED IN EXPANDING
There are many knobs and levers you can tweak to optimize the success of your program and minimize unknown OF OUR TEAM FOR A FRACTION OF THE COST. NOW MY
variables such as cost. INTERNAL RESOURCES ARE BETTER UTILIZED.”
1. Articulate what you do and don’t want to be tested by defining a clear scope, focus areas and exclusions. Learn
more about the Anatomy of a Bounty Brief. DAVID BAKER, CSO, OKTA
2. Decide how you want to run your program–private or public. You may want to start private to limit your testing
pool. Our On-Demand Program offers organizations a capped-cost project-based option to engage the crowd.
3. Determine your incentive program. You may start by offering Kudos only at first, adding and increasing cash
rewards throughout the lifetime of your program.
6
WE’LL WORK WITH YOU ONE-ON-ONE TO DETERMINE
How do you determine the reward range for bounty payouts? WHICH BOUNTY SOLUTION BEST FITS YOUR NEEDS.
Security maturity and submission priority are the most important variables when determining the appropriate value of a LEARN MORE ABOUT OUR BUG BOUNTY SOLUTIONS.
bug and give enough information to decide on a baseline reward range.
Learn more about What’s A Bug Worth.
7 BUG BOUNTY
MYTHS, BUSTED 9
Myth #7: Bounty programs are too hard to manage
False. With a trusted partner, bug bounty programs are easy, efficient and effective. You receive ready-to-fix, high value bugs.
We have run successful bug bounty programs for hundreds of organizations with the help of our all-in-one vulnerability disclosure platform, Crowdcontrol. We also have the world’s
most experienced team of application security experts and vulnerability disclosure space leaders to help make each program successful based on your needs.
What is Crowdcontrol?
Crowdcontrol connects your security team with Bugcrowd’s diverse and skilled crowd of trusted hackers. From start to finish,
our platform makes running a bug bounty program efficient and valuable.
• Set up and customize your bounty program, private or public, ongoing or time-boxed
• Connect and communicate with researchers participating in your program
• Crowdcontrol monitors activity, analyzing and categorizing submissions as they come in
• Reward researchers quickly and seamlessly for submitting valid bugs to your program
• Integrate with your development tools to ensure bugs get fixed promptly
• See program data and trends through easy to understand reporting dashboards
7
We will make sure you’re prepared when your program goes live–setting a clear and thoughtful scope, making budgetting
and reward recommendations based on your company’s capabilities, and aligning expectations. During the life of your
program, you’ll only receive actionable insights–our application security team give triaged submissions a detailed review
and your dedicated account manager works with your team continuously.
Learn more about Crowdcontrol supports our bug bounty solutions.
7 BUG BOUNTY
10 MYTHS, BUSTED
GETTING STARTED
Want to learn more about how your organization can The pioneer and innovator in crowdsourced security
testing for the enterprise, Bugcrowd harnesses the
leverage the bug bounty model to start discovering power of tens of thousands security researchers to
surface critical software vulnerabilities and level the