Operating a bug bounty programme may seem intimidating to a newcomer, but the reality is even a smaller firm can successfully create and run one with the end result being a stronger and safer product.
Adam Ruddermann, practice director, bug bounty services for NCC Group, in a talk at what was part of the inaugural bug bounty summit held at Black Hat, gave a run down on some of the basics that an organisation needs to have in place to have a functional programme. The most important and first step that needs to be taken is dispensing with some of the basic fears associated with actively recruiting people to find flaws in a product or service.
This particularly comes to light when a severe problem is disclosed and finds its way into the news. Ruddermann said many companies worry about what the world at large will think.
"Bug bounties are opportunities, not risks. It is a time when you can demonstrate an organisations commitment to improve and make the internet safer," he said.
However, before this point is reached there are several structures that need to be put in place by the company.First is deciding whether or not to make it a public or private bug bounty programme and how to integrate it into a regular vulnerability disclosure programme (VDP). Ruddermann said a bug bounty programme and a VDP have many similarities, but are really two different animals with the latter having a monetary incentive attached.
For most companies a public programme will work fine, but a private set up, which entails reaching out to a specific group of researchers, can be better for testing a specific piece of software. The goals and scope of the programme must also be set with some opting for a limited run programme for a certain project or to simply leave it broad and open ended.
Once the decision is made to move forward a channel has to be created for bounty hunters to contact the company with their findings. Ruddermann said this can range from posting an email address to having a submission form online.
Other factors that have to be taken into consideration once bugs are being reported is how to deal with them internally. People have to be assigned to accept the finding, prove it is truly an issue, triage and then fix the issue and finally push it through to be resolved.
While these steps are being taken, it’s important for the company not to lose touch with the hunter. Rudermann pointed out how vulnerable these people can feel as the bug they found percolates through a company’s system. He believes regular communications with the finders is extremely important and could stop them from going public with the bug they found before the company is ready.
This communication can be as simple as a form email that just notifies the hunter that they have not been forgotten and that the company will be in contact with them shortly. Also, letting the person know it’s ok for them to get in contact with the company to discuss any fears.
This article was originally published on SC Media US.