How to avoid nasty flies in your bug bounty program

Bug bounties are increasing in popularity, but are there any steps to consider to ensure you keep any annoying flies at bay? Let’s take a quick look.  

Late last week, Google told security researchers that they have upped the bug bounty reward, making it significantly more attractive for researchers to invest in bug hunting.

Media reports cite that Google has received more than 8,500 security bug reports since the launch of its Chrome Vulnerability Rewards Program, way back in 2010. Apparently, more than five million dollars has been paid out to researchers in eight or so years.

Hmmm 

Five million might sound like a wad of cash, but Google is no ordinary company. In 2010 alone, Statista estimates Google’s ad revenues to be in the 26.24 billion range. 

And on top of that, consider the amount of money and headaches Google circumvented via this bug bounty program. In forewarning the tech giant about glitches and gaping holes in their products and services, they were able to make their wares more secure, as well as maintain user trust. 

Does five million not seem like the teeniest tiniest drop in the ocean?

And this is why it is such good news that the company has started making strides in the right direction, increasing rewards. The maximum baseline reward has tripled in value from $5,000 to $15,000, while high-quality reports describing serious vulnerabilities can earn white hat hackers up to $30,000.

Google are not alone. Microsoft this week announced the launch of a new bug bounty program for its Dynamics 365 enterprise resource planning (ERP) and customer relationship management (CRM) applications.

And Tesla recently agreed to pay a large bug bounty for a cross-site scripting (XSS) vulnerability in one of its backend apps that allowed authorized third parties access to vital car statistics. 

And with such well known companies investing more into bug bounties, other firms are asking themselves whether they are missing a trick by not investing in bug finding program.

Now there are many ways to establish a bug bounty program. You could, for example, create your own program or tweak a trusted template. You could run an internal private program or open the doors and provide either a ‘by invitation only’, or launch a fully public bug bounty program, along with a third party. 

There are costs and benefits to each approach, but having experienced bug bounty program experts on hand at the initial stages will save you a lot of time, resource waste and money. 

However, if a bug bounty program is poorly designed or mismanaged, it can lead to decreased ROI, all while stressing out the workers managing the program and eating your hard-earned pennies like they were candy.  Seasoned information security experts, such as those at TBG Security, can guide you based on your organization’s risk assessment, as well as help you set all the parameters and guidelines for reporting bugs. 

Whatever approach you take, you will need to have a way to process and handle the bug reports that come in. If you have a public bug bounty program, and your program is appropriately funded for researchers, you may get a wonderful avalanche of reports, and these need both efficient and effective processing. 

For example, some risk assessors prefer the triage system. First rid the pile of unaccepted submission, submissions that lack the appropriate information or findings. Then the accepted bounty bug report needs to be assessed as it pertains to overall operational risk, which includes impact on privacy, integrity and availability. 

In these instances, quick emergency work is often put in priority position, closely followed by more considered reviews for larger long term problems that could make the organization vulnerable. 

The best tip that has been shared with me is knowing how to ascertain whether a reported bug is likely to pose an issue for the firm running the network(s). You may get hundreds or thousands of reports depending on your system’s size and complexity. 

Filtering these reports correctly allows you to focus on the ones that are deemed as the biggest threat to your business’s integrity. To do this with ROI in mind benefits greatly from a seasoned risk assessment expert. 

Want to learn more? Get in touch with us. We are here to help.

Previous ArticleTake aways from the NASA Raspberry Pi “incident” Next ArticleIsn’t it time we talk seriously about a nation-wide Privacy Act?