Question: I'm setting up my company's first bug-bounty program. What should I be thinking about?
John Bock, vice president of threat research at Optiv Security: Having a basic vulnerability disclosure process ensures that people outside your organization understand how to inform you of vulnerabilities they have discovered. The lack of a readily identifiable route to the security team can result in having to deal with a disclosure under negative terms, instead of being able to properly manage it.
That's why you'll want to validate your process with a self-assessment. You can do this on your own by setting up a non-organizational email account and sending a test "Disclosure" that aligns with your product or service. The test submission should go into a security reporting alias if you have one, plus all other mechanisms for someone in the public to contact you should have policies to forward potential vulnerability disclosure messages to the security team.
As part of your vulnerability disclosure policy, you may want to include a catch-all bounty statement that indicates you give rewards for vulnerability submissions. This will give the individual who discovered the issue more reasons to tell you about it first.
It's also important to set your rewards and bounty program to meet the common standard of your industry peers. Prior to launch, you should also run every available open source vulnerability scanner and whatever commercial tools you have available. You want to make sure you won't be paying out bounties for trivial bugs. In addition, if your product generates false positives with certain tools, it will save time during triage.
Last, keep in mind that the researcher who discloses a vulnerability may not have been the first person to discover it and they have wandered around the environment more than they included in their report. If the bounty includes production environments or products with versions that were already in production, you will want to do a quick pass through the logs to check if it had been previously exploited.