How to start your own bug-bounty program

Code vulnerabilities and other entry points for hackers exist in your systems. Why not use hackers to help find and fix them?

It’s no secret the cybersecurity industry has a skills gap. Read any report that looks at hiring in the security field across the world and the only difference is the size of the shortage. According to last year’s Global Information Security Workforce Study (GISWS), the global shortfall is expected to be 1.8 million by 2022—a 20 percent increase since 2015.

One way to overcome this ongoing lack of cyber skills is to supplement your existing security staff with external people. A new wave of companies, including HackerOne, Bugcrowd, and Synackare offering communities of hackers ready to test your systems and report their findings in exchange for cash rewards.

But where do you start when launching such a bug-bounty scheme?

Stage 1: Establish a vulnerability disclosure program

The very first stage is simply having a vulnerability disclosure program (VDP) in place. Hacking companies outside of the confines of an official penetration test or bug bounty program has long been a legal gray area for hackers, even if their intentions are purely academic or altruistic. Many companies, include PwC, FireEye, Cisco, and DJI,have taken legal action against people who have found vulnerabilities.

This lack of clarity and safety was one of the reasons Michiel Prins founded HackerOne. “I was doing penetration testing and noticed was a lot of times you wanted to do a good and tell a company about a vulnerability but it was very hard. Nobody had contact information about how you can reach security teams, and it can also be dangerous because you never know what’s going to happen: Are they going to send a lawyer or are they going to go to law enforcement? You never know what’s going to happen even when you’re trying to do the good thing.”

To continue reading this article register now

How to choose a low-code development platform