what’s best for your business?

Organizations are adopting bug bounty programs more and more as part of a layered security strategy to address the skills gap and to help their security budget go further. But should you run a program in-house or outsource to a bug bounty program provider? This blog will take you through the setup process and explain where the value from a bug bounty platform comes into play.  

The right bug bounty program brings the following benefits:

• Transparency: Using a bug bounty program indicates that security is highly valued within the company, and that the company is prepared to participate with the ethical hacking community, not only to enhance security for their environments, but also for the benefit of their customers and partners.

• Continuous testing: Rather than a point-in-time test that can miss new vulnerabilities, bug bounty programs run nonstop and reduce real-world risk.

• Skillset: Access to security talent from across the globe, with diverse skills that most organizations can’t get access to in-house.  

• Cost reduction: Only pay for impactful results rather than the time it takes to run other, more traditional testing that may not produce results, that you still have to pay for!

• Faster identification: By having multiple researchers test environments simultaneously, gaps can be discovered faster.

The good news? Planning and setting up your bug bounty doesn’t have to be difficult!

The first task to form your bug bounty program is to identify what needs to be included within the scope. Anything from APIs, mobile apps, web apps, or even certain hardware products can be included.

The second task is to identify and list all assets that are out of scope for analysis. This could include specific features or functionalities that a company might not want a hacker to access. Or perhaps it includes an area that was recently tested, so the budget would be better used elsewhere.

The third task is to decide if there are any specific vulnerabilities to search for. Different industries or regions can be susceptible to different types of attack, which makes a tailored approach better.

Working with a bug bounty provider, like Intigriti, provides an expert cybersecurity team that supports its customers and helps define scope, identify asset lists, and prioritize assets based on where a vulnerability could cause most damage, based on similar customer successes.

In addition to your scoping document, you will need to create rules of engagement to highlight any techniques you don’t want included.  This could include elements such as attempts to gain unauthorized access, attempting a data breach, or causing disruption.

‘By default, researchers from the Intigriti platform are bound to certain rules. For example, researchers cannot use methods of DDoS attacks or social engineering; they must disclose vulnerabilities immediately and cannot disclose information without written consent in the platform. It can be useful to add some restrictions to explain how you expect researchers to behave and what they can expect from you.’ – Rules of Engagement and Testing requirements.

Be sure to strike a balance of openness with protection. You don’t want to stifle the work of the ethical hackers, but you equally can set parameters to prevent them from delving into elements you don’t want tested.

Putting in place comprehensive terms and conditions and making elements such as SLAs, submission guidelines, communication, and disclosure rules clear is paramount to avoid any legal issues that could arise. Partnering with a bug bounty platform provider removes the burden of setting up legal frameworks yourself, offering established, robust legal structures that account for varying locations, jurisdictions, and company policies.

Setting a concrete reward structure for your bug bounty program is very important. Why? If the researcher finds a critical or exceptional vulnerability but is not paid fairly for the find, they’re likely to disengage.   

Set different severity levels and impact of a reported vulnerability into a tiered system so that all bugs found are rewarded fairly.

Clearly define how and when payments will be made, to save any confusion or doubt, and be completely transparent with your ethical hacking team.

Many customers turn to bug bounty providers to set up safe, fast payment processing for the researcher. This ensures payment is made in days rather than weeks/longer.  When companies try to pay an ethical hacker directly without the KYR (Know Your Researcher) screenings in place, this can lead to slower processing of payments, which often leads to lower engagement.

‘In an analysis of bug bounty programs, a trio of academic researchers concluded that the programs were cheaper to run than hiring expert security researchers to find software vulnerabilities. Vulnerability rewards programs can range anywhere from two to hundreds of times more cost-effective than hiring expert security researchers to find vulnerabilities.’ – SecurityWeek.  

Measure the success of your bug bounty program by monitoring KPIs. These can include tracking statistics like:

• The number of valid reports

• The number of reported vulnerabilities

• The average response time (how long it takes your team to respond to highlighted vulnerabilities)

• The number of payouts and the frequency of payouts

Regularly review and adapt processes so that the scope, reward structure, and processes are as effective and relevant as possible. By keeping tabs on the challenges faced, it will make it clearer when to expand or contract the scope, raise or lower boundaries, and relax or tighten rules.

Intigriti’s streamlined, bespoke reporting is built for our customers’ needs, to supply reports and data to enhance their visibility and simplify actions.

An effective bug bounty program requires both strategic and technical effort to understand organizational security priorities, scope, and structures. It also requires consistent communication and education to build trust with ethical hackers and keep them engaged

Consider what you want from your bug bounty program, and make sure to look for a platform that offers the following elements:

Bühler, a Swiss multinational plant equipment manufacturer, known for services for processing foods and manufacturing advanced materials, highlighted that

By using Intigriti bug bounty, it streamlined the entire compensation process, alleviating Bühler’s legal and administrative burdens by managing payouts and necessary identity checks.

– Exploring Bühler’s strategic collaboration with Intigriti.   

Also look for:

• A robust triage process and validation of reports. For more information regarding the impact of triage when setting up your bug bounty program, read this blog.

• Developer collaboration for patching.

When executed correctly, a bug bounty program can significantly strengthen defences. But success will depend on a balance between security, engagement, and transparency. Keep goals clear-cut, guidelines firm, and communication open.

Given the complexity of systems, protocols, and experience required, as well as the amount of time needed for good triage, the best approach to running an internal bug bounty program is almost always through a dedicated bug bounty platform, like Intigriti. You get the best of all worlds: a fun, educational program; improved cybersecurity; and the time-consuming process of triage handled by experienced experts.

For more tips and tricks on how to implement your bug bounty program, reach out to the team here.