Bug bounties have continued to grab headlines over the years – as evidenced by the fact that we’ve seen a 40% growth in engagements over the last year alone. As bug bounty engagements move towards becoming more of a necessity (as opposed to a nice-to-have), it’s increasingly important to be aware of the nuances surrounding how to make a bug bounty engagement as successful as possible.
Running a successful engagement starts well before the actual launch, and is a continuous and iterative process. If you’re running the engagement on your own, or starting with a vendor, what core concepts and fundamentals do you REALLY need to know?
Here are Bugcrowd’s 5 tips and tricks for running a successful bug bounty engagement:
Tip #1: Get buy-In early
- This is crucial when it comes to running a successful bug bounty engagement. As noted above, a successful one actually starts well before it goes live. Getting internal buy-in all throughout, and from the top of the organization, is the best way to ensure all parties are aligned on goals and business needs – so that when the time comes to execute, all stakeholders are in agreement.
Tip #2: Owning your engagement
- Your bug bounty engagement can only ever be as good as the people running it. What this means is that if you’re running one, it pays dividends on dividends to be invested in the success of the engagement yourself. From transparent interactions with researchers to quick response times, showing researchers that you take your engagement seriously is much more likely to result in their reciprocation. Working with your researchers and building those relationships is absolutely key to ensuring researchers not only participate now but also come back and continue to participate over time.
Tip #3: Don’t underestimate the power of scope and rewards
- Be aware of the fact that researchers have a litany of available options in terms of engagement in which they can participate at any given time. As much as they’re competing to be the first to find a given issue, you’re also competing with the other engagement owners out there for the researcher’s time and attention. To this end, when building out your engagement, always ask yourself “Is this something I would want to test against?”, “Would this engagement be fundamentally attractive to me, as a security researcher?”, “Does this engagement brief have all the information I’d need to be successful?”, and “As a security professional, are these rewards something that would incentivize me to invest time here?” If the answer to any of these is less than a resounding “yes”, then we need to go back to the drawing board until we feel it’s good enough.
Tip #4: Remember to set expectations
- Expectations are everything. In building the brief, we absolutely have to make sure that we’re setting proper expectations around scope, rewards, vulnerability priorities, timelines, etc – and then living up to those expectations once the engagement goes live. Any time there’s an issue on a engagement it’s almost exclusively due to a breach of expectations, where the researcher expected one thing, and the engagement owner did another. Clearly outlining expectations out the gate helps us avoid any problems later on down the road.
Tip #5: Have a plan
- Finally, and very similar to point #1, it’s key to know what the plan is for the engagement when certain things happen. For example, what happens when a high priority submission comes in? Or when there is a deluge of findings?, Or just more submissions than were expected? How will those situations handled, and what responsibilities fall tho whom? Having a plan in advance allows us to avoid the common pitfall where, after starting a engagement, the engagement owner then has to figure out the process as things go – which often results in a slow or unpleasant experience for researchers – which, as we’ve discussed before, we want them to have the best experience possible, so that they a) continue to test; and b) come back and test more over time. These plans don’t have to be perfect, as there’s definitely a learning curve, but having a framework is a whole lot better than just “winging it” when these situations arise.
So if you’re planning to start a managed bug bounty engagement at your organization, keep these tips and tricks in mind, and you’ll be well ahead of the curve.