Bug Bounty
Program
Bug bounty programs allow independent security researchers to report bugs to an organization and receive rewards or compensation. These bugs are usually security exploits and vulnerabilities, though they can also include process issues, hardware flaws, and so on.
Why do researchers and hackers participate in bug bounty programs?
Finding and reporting bugs via a bug bounty program can result in both cash bonuses and recognition. Bug bounty programs and responsible disclosure programs are extremely beneficial for Microsoft, and organizations in general, because they give curious people a legal and positive way to express their curiosity. This can be full time income for some, income to supplement a job, or a way to show off your skills and get a full-time job.
To initialize your own bug bounty program, preparation is key. Below are 10 actionable steps you can take to get started.
STEP 1 > Launch A Vulnerability Disclosure Program Without Monetary Benefits
A vulnerability disclosure program is a well-defined mechanism outsiders can use to safely report security findings to the security team. Setting one up without payouts attracts fewer participants and can be used to launch the program at a smaller scale. It allows security teams to get the feel of receiving input from people outside of the fold.
STEP 2 > Carefully Craft and Communicate the Scope and Pricing of Your Program
The rules for a bug bounty program must be clearly defined for all participants. Clear communications help ensure that the organization gets what it wants out of the program and that the participants are satisfied because they will have accurate expectations of the process and payment.
STEP 3 > Decide On a Public or Private Program
The more people looking for bugs in your system, the more submissions you are going to get. That sounds like a good thing, but it comes with challenges. More submissions mean you have to provide more responses, evaluate more discoveries, validate more findings, quickly remediate more valid vulnerabilities, and manage payments to more individuals.
STEP 4 > Set Up a Testing Environment Dedicated to The Program
Establish an isolated, segregated, and well-segmented test environment for the bug bounty program. This bug bounty test environment (BBTE) should not have any links to the organization’s Dev/QA/Prod environments to avoid any impact to business.
STEP 5 > Plan For Blackout Dates and Quiet Periods
The program may need blackout dates when you do not want outsiders testing your code and quiet periods following bug discovery to ensure resolution before the bug is publicized. Changes/updates may also require time for internal due diligence activities before being made available for public testing.
STEP 6 > Gain Support from the C-Suite, Legal Team, Communications Department, Developers, Security Monitoring Team, and Others
A bug bounty program involves many company departments. It needs the executive team to provide financial support for administrative costs and bounties; it needs human resources to oversee employment and tax-related tasks such as sending 1099 forms; it needs communications and marketing assistance to publicize the program; it needs legal assistance for writing contracts, such as those that define the program and the company’s relationship with bounty hunters; it needs developers willing to incorporate bug fixes into new software versions; and it needs the security monitoring team to build additional detection capabilities for the production environment, while the relevant team rolls out a patch.
STEP 7 > Start With a Small-Scale Test
Before launching the bug bounty program, test it with a limited pool of bug bounty hunters, a limited scope of the environment, and a limited budget. This way, adjustments can be made to the program before widespread roll-out.
STEP 8 > Hire Sufficient Staff
For a bug bounty program to be effective, an organization needs enough technology and administrative staff to support it. The IT team or Information Security team may not have availability to support a full-time bug-bounty program in addition to their business-as-usual responsibilities.
STEP 9 > Market The Program
If the bug bounty program is public, it must be marketed like any other product, service, or job opening to attract the right talent. Identify websites, schools, and other venues where security researchers congregate and communicate to them in a way that attracts their curiosity and problem-solving skills.
STEP 10 > Be Ready to Act on The Disclosures
This may be the most important step. When you learn of a critical bug, this knowledge can quickly turn into a liability if the issue is not rapidly resolved. Without remediation readiness, your risk management program could flip and actually introduce risk.
