Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

11/14/2019
05:00 PM
Edge Editors
Edge Editors
Ask the Experts
50%
50%

I'm Setting Up a Bug-Bounty Program. What Should I be Thinking About?

Here are some important points to factor into your vulnerability disclosure policy.

Question: I'm setting up my company's first bug-bounty program. What should I be thinking about?

John Bock, vice president of threat research at Optiv Security: Having a basic vulnerability disclosure process ensures that people outside your organization understand how to inform you of vulnerabilities they have discovered. The lack of a readily identifiable route to the security team can result in having to deal with a disclosure under negative terms, instead of being able to properly manage it. 

That's why you'll want to validate your process with a self-assessment. You can do this on your own by setting up a non-organizational email account and sending a test "Disclosure" that aligns with your product or service. The test submission should go into a security reporting alias if you have one, plus all other mechanisms for someone in the public to contact you should have policies to forward potential vulnerability disclosure messages to the security team. 

As part of your vulnerability disclosure policy, you may want to include a catch-all bounty statement that indicates you give rewards for vulnerability submissions. This will give the individual who discovered the issue more reasons to tell you about it first. 

It's also important to set your rewards and bounty program to meet the common standard of your industry peers. Prior to launch, you should also run every available open source vulnerability scanner and whatever commercial tools you have available. You want to make sure you won't be paying out bounties for trivial bugs. In addition, if your product generates false positives with certain tools, it will save time during triage.

Last, keep in mind that the researcher who discloses a vulnerability may not have been the first person to discover it and they have wandered around the environment more than they included in their report. If the bounty includes production environments or products with versions that were already in production, you will want to do a quick pass through the logs to check if it had been previously exploited. 

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Name That Toon: The Lights Are On ...
Flash Poll