These days, cybersecurity and application security are among the most popular and well-covered topics anywhere on the web. There's so much information out there about patching systems, writing robust tests, securing code, and all kinds of things related to keeping your data and your applications safe. But what happens when you need to find a security expert to help you investigate a particularly tricky issue? Or maybe you want to find a talented application security engineer to help you secure your mobile apps? Where do you start?
Most companies, especially large enterprises, have a security team that handles all the nitty gritty of intrusion detection, vulnerability assessment, and penetration testing. But what many enterprises don't have is someone whose full-time job is focused on identifying and rewarding hackers for finding vulnerabilities in their products.
That's where bug bounty programs come in. Typically, these programs pay hackers for finding and reporting security issues with a company. If you're interested in creating or sponsoring a bug bounty program at your company, you need to follow a few simple steps.
Set the right rewards
When setting up a bug bounty program at your company, you need to decide how much you're willing to spend on rewards. One of the biggest mistakes companies make in their bug bounty programs is offering too much money. Some hackers will see that kind of money and just break into your system to see what they can get away with, rather than finding the security issues you're paying them to find. (To encourage the good guys to take you up on your offer, consider upping the reward a bit once your program is live.)
For smaller companies, it's perfectly acceptable to offer lower rewards. For instance, if you're a software company with a minimal revenue, you might want to start slow with a $500 bounty for the smallest bug and work your way up to a $5,000 bounty for the biggest issue. (For more information on how to set up a bug bounty program, check out our previous article, "How to create a bug bounty program at your enterprise level.")
Determine what types of issues you'll look for
Once you've set the reward for the program, you need to decide what types of issues you'll be looking for in the bounty submissions. For instance, if you're a web or a mobile application, you might decide that you only want to reward issues that pertain to those platforms. (If you're not sure what types of issues you want to look for, ask your security team or a member of your technical team. They'll be able to suggest some things to help you find the most security-related issues.)
If you're a web company, for instance, you might decide that you want to look for cross-site scripting (XSS) issues, or SQL injection attacks against your database. Your technical team or security experts can help you come up with a list of the most common and critical security issues to look out for.
Choose your security experts
The next step in setting up a bug bounty program is to choose your security experts. When it comes to finding and fixing security issues, nothing beats experience, so make sure you choose someone with significant hacking experience who can quickly learn your platform(s). Even if you choose an expert who's known for being the best in their industry, there's still a chance they might not be able to help you with your specific issue.
Usually, companies will choose someone from a big security firm like Accenture, HP, or Blue Coat who have the necessary expertise to look into their issue and fix it. If you decide to go this route, be sure to work with an independent security tester who can give you unbiased advice about your program and the results of their work.
Create a process for reporting issues
Once you've established a team of experts to look into your security issues, you need to create a process for reporting them. As the tester who's working on your bug bounty program, it's your job to make sure each issue is properly documented and any relevant information is provided to the experts so they can fix it. (Make sure to keep all the documentation and communication about the program completely independent from your regular operations. This will help ensure the program remains objective and that you can depend on the findings of the security researcher who's looking into your issue.)
Depending on how complex the issue is, it might take your security expert a little while to fix. In that case, it's up to you to help keep track of the issue and provide updates as necessary. When it comes to rewarding hackers for finding security issues, a little extra management may be necessary. But in the end, you'll be able to say you had a productive and beneficial relationship with a member of your team who helped keep your data and your applications safe.