cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Shedoesinfosec
Newcomer I

Bug Bounty

Hello all,

 

looking for your experience and knowledge on how you or your company handles Bug Bounty requests from those claiming to have found vulnerabilities on your company website.

 

Do you have an established Bug Bounty program?

What does your program include?

How do you engaged with the reporter?

How do you verify their identity and their legitimacy?

What is the payment or reward for verified vulnerabilities?

 

Interested in what has worked and what has not worked.

 

Thanks.

 

5 Replies
rfkrishnan
Viewer

I've worked at two companies that have had their own bug bounty programs (full disclosure: each on their own platform).   

 

If you want to receive vulnerabilities, you should be able to respond very rapidly and politely every single time.  If you can't treat every incoming report as your most important job that day, a reporter may take offense.  Every researcher should get professional treatment respecting their kind contribution.  The two major models are do it yourself and have someone do it for you.

 

I am personally happy to assist in any way, and can be reached at rkrishnan@synack.com.

 

If I say much more, I will sound like an annoying vendor engaged in self-promotion.

 

 

Shedoesinfosec
Newcomer I

Thank you very much for your response. I'll take what you've shared into consideration as we develop our strategies.

Azimuth
Viewer III

It is really depends on the budget and time you have.  

To sum up- Bug Bounty process should be addition to your company's vulnerability management program, but with mature VM program you wont  really need a Bug Bounty.

And you dont really need the whole program for that- only process.

 

The key idea is to make sure that bug reported is reviewed by applicable sec team (with dev team if applicable). 

And scanning for vulnerabilities/bugs are performed periodically-  by internal and/or external parties. 

 

Dont deal with unknown "bug reporters".  It is much cheaper to hire well known sec company which will use their tools and skills to check you stuff otta there. Or, get own expertise. 

 

 

CEMyers
Newcomer III

Doesn't a "Bug Bounty" concept (potentially) encourage ransomware?

rslade
Influencer II

> CEMyers (Newcomer III) posted a new reply in Tech Talk on 07-22-2018 04:58 PM in the (ISC)² Community :

> Doesn't a "Bug Bounty" concept (potentially) encourage ransomware?

Oh, this debate goes back at least 30 years (in one form or another). Yes, we've
seen where boounties, of various types, encouraged all kinds of malware. (I can't
recall instances where it specifically promoted ransomware, but all kinds of
malware, certainly.) Then there's the situations where your bounty isn't big
enough, and somebody discovers something really big, and figures they can make
more money exploiting it than taking your paltry bounty. Then there is the usual
lack of specification and limitation on bounty programs, and companies who get
hacked, claim "we didn't mean that!" and try to throw the researcher in jail.

I'm not a big fan of bounty programs.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If God had intended man to fly, He would never have given us the TSA
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468