topic Bug Bounty in Tech Talk

Bug Bounty

Shedoesinfosec — Thu, 05 Apr 2018 19:27:25 GMT

Hello all,

looking for your experience and knowledge on how you or your company handles Bug Bounty requests from those claiming to have found vulnerabilities on your company website.

Do you have an established Bug Bounty program?

What does your program include?

How do you engaged with the reporter?

How do you verify their identity and their legitimacy?

What is the payment or reward for verified vulnerabilities?

Interested in what has worked and what has not worked.

Thanks.

Re: Bug Bounty

rfkrishnan — Fri, 06 Apr 2018 02:29:08 GMT

I've worked at two companies that have had their own bug bounty programs (full disclosure: each on their own platform).

If you want to receive vulnerabilities, you should be able to respond very rapidly and politely every single time. If you can't treat every incoming report as your most important job that day, a reporter may take offense. Every researcher should get professional treatment respecting their kind contribution. The two major models are do it yourself and have someone do it for you.

I am personally happy to assist in any way, and can be reached at rkrishnan@synack.com.

If I say much more, I will sound like an annoying vendor engaged in self-promotion.

Re: Bug Bounty

Shedoesinfosec — Mon, 09 Apr 2018 13:16:10 GMT

Thank you very much for your response. I'll take what you've shared into consideration as we develop our strategies.

Re: Bug Bounty

Azimuth — Tue, 10 Apr 2018 20:41:56 GMT

It is really depends on the budget and time you have.

To sum up- Bug Bounty process should be addition to your company's vulnerability management program, but with mature VM program you wont really need a Bug Bounty.

And you dont really need the whole program for that- only process.

The key idea is to make sure that bug reported is reviewed by applicable sec team (with dev team if applicable).

And scanning for vulnerabilities/bugs are performed periodically- by internal and/or external parties.

Dont deal with unknown "bug reporters". It is much cheaper to hire well known sec company which will use their tools and skills to check you stuff otta there. Or, get own expertise.

Re: Bug Bounty

CEMyers — Sun, 22 Jul 2018 20:58:44 GMT

Doesn't a "Bug Bounty" concept (potentially) encourage ransomware?

Re: Bug Bounty

rslade — Mon, 23 Jul 2018 19:04:13 GMT

> CEMyers (Newcomer III) posted a new reply in Tech Talk on 07-22-2018 04:58 PM in the (ISC)Â² Community :

> Doesn't a "Bug Bounty" concept (potentially) encourage ransomware?

Oh, this debate goes back at least 30 years (in one form or another). Yes, we've
seen where boounties, of various types, encouraged all kinds of malware. (I can't
recall instances where it specifically promoted ransomware, but all kinds of
malware, certainly.) Then there's the situations where your bounty isn't big
enough, and somebody discovers something really big, and figures they can make
more money exploiting it than taking your paltry bounty. Then there is the usual
lack of specification and limitation on bounty programs, and companies who get
hacked, claim "we didn't mean that!" and try to throw the researcher in jail.

I'm not a big fan of bounty programs.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If God had intended man to fly, He would never have given us the TSA
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade