Bug bounty programs – in which an agency or organization lets freelance hackers test their systems and report vulnerabilities for cash – are becoming all the rage in the public sector. Beginning with the Defense Department’s Hack the Pentagon program to the IRS’s managed crowdsource approach to the General Services Administration’s 18F standing up a software-as-a-service platform, the trend is spreading.
But, as with every new thing, there is a learning curve. During the 2017 Black Hat conference in Las Vegas, bug bounty program managers with three major companies – Indeed, Salesforce and Silent Circle – offered some advice to organizations standing up a program for the first time.
While the financial incentives are typically what define bug bounty programs, participants are rarely just in it for the money.
“It’s super important to go out into the community and find out what motivates them,” said Lori Rangel, director of product management for Silent Circle.
“One of the biggest challenges is understanding the value of a vulnerability,” she said. “My initial thought was that the dollar amount – the payout for a bounty – was the most important thing to the user community. [Now I’m] understanding the differences between a dollar value and reputation value.”
For many researchers in the bounty community, the prestige of finding a well-hidden flaw can be as important as the bounty itself, as reputation can lead to more opportunities in the future.
“Find out what their concerns are,” Rangel added. “That really builds your reputation, as well.”
Charles Valentine, vice president of technology services for the jobs website Indeed, pointed out that these are individuals, not companies you’ll be dealing with.
“This is not a business you’re talking with; it’s an individual,” he said. “So having somebody in place who has really good customer service skills to be able to communicate with that external person and bring it to a human level. So, not acting like a corporation. The communication should not be filtered by a legal department; it should be a human-to-human communication.”
Another important note: “In many cases … English is probably not their first language,” so be prepared.
Finally, if your internal security team isn’t equipped to remediate the bugs as they are discovered, what’s the point?
“One of the key things you need to have is a very mature OpSec practice,” said Angelo Prado, senior product security manager for Salesforce. “You need to have a very mature set of individuals who are able to understand risk, impact and are able to fix any vulnerabilities that come your way. Because, without that, you’re doing yourself a disservice. If you don’t have strong application security engineers, your program is not going to be successful.”