What is a Bug Bounty program?
For the past few years, we have witnessed a growing number of so-called Bug Bounty programs, also known as Vulnerability Reward Programs or VRP’s, that are mainly based on rewarding researchers for identifying vulnerabilities in corporate IT systems, to then reporting these vulnerabilities following a good practices code referred to as Responsible Disclosure Guidelines in order to prevent the disclosure of the identified vulnerabilities before these being fixed.
Usually, hackers and researchers report vulnerabilities to organizations acting out of altruism, some simply to make Internet safer, and others with the purpose of gaining fame and recognition while developing their abilities.
An increasing number of companies with a more mature model of security are implementing red team practices or vulnerability reward programs. The immediate benefit of having hundreds of researchers trying to identify vulnerabilities is the possibility of detecting an fixing a large number of system bugs, while awakening your organization to the importance of security.
How to start a Bug Bounty program
Not so long ago, only a few companies were able to launch a bug bounty program, since a full-time multidisciplinary team was required to efficiently implemented. Today, there are several online alternatives that offer their clients certain infrastructures and the ability to contact white hat hackers, acting merely as intermediaries and not offering any value-added service.
Tarlogic approaches this type of services as an complete management of the program in every single phase, so it can be seamlessly integrated as an additional data source to the already existing client’s vulnerability management processes, using the same interfaces – issue ticketing tool, reporting system, etc.
Tarlogic will provide you with a team of experts to handle technical and program coordination tasks. The team will be flexible, and the number of dedicated analysts will depend on the volume of reports received, as well as their complexity.
A full-time assigned team leader will be the only contact person. This leader will be familiar with your organization, as well as the different departments involved with the system flaws resolution, since he will also be in charge of coordinating and executing the follow-up activities. In any case, your company’s CISO will determine the level of integration with the company’s existing management processes and tools, or whether an ad-hoc service is preferred.
Bug Bounty Considerations
In order to participate in the Bug Bounty program, the researchers should observe a set of predefined rules. Although there are certain differences whether a program is centered on a product or rather on an online service, the following example describes an online service program, for being the most common:
- Program scope and duration. Restrictions on the program scope and the establishment of long-term or indefinite program. Restrictions on the program scope and the establishment of long-term or indefinite program.
- Test types allowed. Where service refusals, social engineering, and automatic tools that generate an excessive network traffic or server load.
- Minimum acceptance criteria and threshold. Accepted types of vulnerabilities, specifying whether only immediate impact vulnerabilities will be rewarded, or also hardening recommendations.
- Reward format. Set minimum and maximum award amounts, or otherwise specify type of non monetary retributions and other types of acknowledgment and recognition, such as the researcher induction into the “hall of fame”. Contact instructions. Specify required contact means and supports, as well as the response notifications expected for each phase.
- Confidentiality and privacy. The researchers shall not disclose any information related to the vulnerability found until it has been fixed.
- Participants. Prevent employees and employees’ family members from participating in the program; establish minimum age or require parent/guardian authorization for minors.
- Intellectual property. The researches will remain the proprietary of the information sent to the company. However, the researcher will grant irrevocable, perpetual, unlimited rights to make use of the information received.
- At the beginning of the program, the necessary indicators for an appropriate program follow-up will be defined together with the company’s person in charge of the IT security, including the distribution and criticality of the vulnerabilities on different assets, technologies and areas of the organization.
Our Bug Bounty program management service is mainly targeted to software developers seeking to take their products to the limit to protect their clients, as well as all those organizations, both public or private, looking to ensure their online-accessible infrastructures are thoroughly analyzed for vulnerabilities.