How to start your own bug-bounty program

Code vulnerabilities and other entry points for hackers exist in your systems. Why not use hackers to help find and fix them?

It’s no secret the cybersecurity industry has a skills gap. Read any report that looks at hiring in the security field across the world and the only difference is the size of the shortage. According to last year’s Global Information Security Workforce Study (GISWS), the global shortfall is expected to be 1.8 million by 2022—a 20 percent increase since 2015.

One way to overcome this ongoing lack of cyber skills is to supplement your existing security staff with external people. A new wave of companies, including HackerOne, Bugcrowd, and Synackare offering communities of hackers ready to test your systems and report their findings in exchange for cash rewards.

But where do you start when launching such a bug-bounty scheme?

Stage 1: Establish a vulnerability disclosure program

The very first stage is simply having a vulnerability disclosure program (VDP) in place. Hacking companies outside of the confines of an official penetration test or bug bounty program has long been a legal gray area for hackers, even if their intentions are purely academic or altruistic. Many companies, include PwC, FireEye, Cisco, and DJI,have taken legal action against people who have found vulnerabilities.

This lack of clarity and safety was one of the reasons Michiel Prins founded HackerOne. “I was doing penetration testing and noticed was a lot of times you wanted to do a good and tell a company about a vulnerability but it was very hard. Nobody had contact information about how you can reach security teams, and it can also be dangerous because you never know what’s going to happen: Are they going to send a lawyer or are they going to go to law enforcement? You never know what’s going to happen even when you’re trying to do the good thing.”

According to HackerOne’s 2018 Hacker Report, 25 percent of respondents said they were unable to disclose a vulnerability due to the company in question not having an established VDP, thus without an avenue for ethical hackers to reach them without fear of reprisal. While the report says94 percent of the Forbes Global 2000 do not have a VDP in place, 72 percent of the hackers surveyed said companies have been more open to receiving vulnerability information in the last 12 months.

Establishing a VDP lets you create channels for hackers to report bugs without fear of reprisal while you implement processes for fixing issues. Dropbox has publisheda template that other companies can copy to ensure clarity on all sides when it comes to reporting vulnerabilities to the affected company.

In Stage 1, you are getting to grips with the concept, and there is often no reward offered.

Stage 2: Launch a small private bug-bounty scheme

The next step after establishing a VDP is to launch a small private bug-bounty scheme. In managed schemes, the likes of HackerOne and Bugcrowd will select a small group of highly rated hackers to participate. This way, you won’t be overloaded by submissions but will able to iron out initial kinks and develop solid workflows for dealing with vulnerabilities.

“That’s the pivotal moment when they start thinking about offering financial incentives to attract a lot more hackers and really have them dig deep into their systems because there’s a monetary incentive,” says HackerOne’s Prins. “It’s a very natural progression.”

Once a company reaches Stage 2, setting the right value of a bounty is important. “Hackers want to know approximately how much a bug is worth before they start investigating it,” says Bugcrowd CSO David Baker. “Reducing variation on pay-out amounts allows researchers to appropriately allocate their time and helps customers budget correctly for their programs.”

The lowest reward that HackerOne recommends is $100, with the average being around $500. The likes of Intel and Microsoft have offered more than $200,000 for especially serious vulnerabilities.

One such company using this model is software repository startup GitHub, which has run a bug bounty program since 2014. GitHub’s rewards for vulnerabilities range between $555 and $20,000. In 2014, the company fixed and rewarded 57 submissions for a total of $50,100; in 2015it was 102 submissions for a total of $95,300. In 2016, there were 73 valid submissions with $81,700 paid. And in 2017, 121 reports totaled $166,495 in reward money.These vulnerabilities have ranged from minor leaks of information to more serious authorization bypassing issues and injection vulnerabilities.

While companies can choose to run their own programs independently, the sheer number of hackers that an open scheme can attract mean an increasing number use intermediary platforms that can bring scale and standardization to the process and help manage the reward scheme. “The majority of self-run programs end up stalling out, losing researcher participation and confidence,” says Bugcrowd’s Baker. That’s the opportunity companies like his hope to address.

How to deal with the challenge of vulnerability disclosure at scale

A common challenge companies face when starting a bug-bounty program is scale. Companies used to a static and infrequent penetration test report can quickly become overwhelmed by a near-continuous stream of reports coming in.

“Most of our customers have a desire to run a bug bounty program that is fully public and open to everybody,” says Prins. “But you can’t do that right away because then you’re opening the floodgates and there’ll be way too much interest and you won’t be able to handle the number of reports and the number of vulnerabilities you need to fix.”

He says that much of the work is actually in analyzing and validating the reports that come in; checking that the claimed vulnerability isn’t a previously reported issue, checking the accuracy of the report, and assessing the severity.

GitHub’s Application Security team reviews the submissions, tries to reproduce the issues, and identify what risk each poses to the application or users. “After the submission has been validated, we open up an issue (bug tracking ticket) and triage it to the appropriate engineering teams for them to prioritize and fix the underlying issue,” says Greg Ose, application security manager at GitHub. “We then work with developers to ensure that the issue is properly fixed and that other areas of the application do not have similar problems.”

Ose says that while “a fair amount of time” is spent responding to and investigating submissions, it’s important to be responsive to submitters even if their reports do present a risk to users or data so they understand the reasoning. The company has common replies common low-risk submissions to help ensure consistent messaging and quickly close out common issues. “While the advantages outweigh the drawbacks, the bug bounty program requires significant effort to run smoothly and successfully.”

GitHub received 840 submissions in 2017, but Ose says the company has beensuccessfully able to scale the program to keep up with the growth in submissions.

How to vet ethical hackers and overcome reticence

Though one survey suggests nearly 60 percent of companies either have or would hire ex-hackers to help with security, many companies may have reservations about inviting people to poke around their systems, especially if they operate in a heavily regulated environment.

That’s another opportunity providers like Bugcrowd and HackerOne hope to address. Both have reputation scores that rate individuals on the quality and quantity of their submissions. Hackers with a good reputationare more likely to be invited onto private programs. HackerOne also offers something it calls “HackerOne clearance,” which has hackers undergo extra vetting such as background checks and identity verification if there’s a particularly sensitive program being run.

This story, "How to start your own bug-bounty program" was originally published by IDG Connect.

Copyright © 2018 IDG Communications, Inc.