A pragmatic guide to building your bug bounty program
Part 3: The value in building relationships with bug bounty reporters
In part one of this series, I provided a pragmatic approach to starting your bug bounty program, addressing the pitfalls you might experience, and offering suggestions on how to maximise the number of useful reports.
Part two covered budgets, payments, and how to deal with beg bounties.
The final instalment will focus on how to engage bug bounty hunters to improve the quality of reported bugs.
Opening the door to bug bounty hunters with better findings
As you issue rewards for valuable bug bounty reports, you’ll start to see the same bug bounty reporters coming back with increasingly interesting findings. The quality of their reports will improve. Their proof of concept scripts will get a bit easier to understand (you’re learning how to work with them too!), and they’ll start to offer up early warning reports while they confirm the scope and impact.
Once you find someone who recognises that their efforts will be rewarded, they dig deeper, become more familiar with the product and services, and can start chaining things together in ways that increase the value of their findings.
Over time, you’ll develop a small group of people constantly poking at your product, and sending you reports that you have more trust in. You spend less time validating and more time improving the security of your product.
Remember, this doesn’t come for free! As the security team at a company, you need to invest time in relationship management and encourage their activity. When someone submits multiple interesting findings, I usually reach out to them personally and learn more about them. This involves scheduling a call over Zoom, asking about their background, what motivated them to get involved in APPSEC/penetration testing, how they learn etc.
I also ask them about our product — they’ve tried breaking it, where do they think we are strongest and weakest? Finally, I let them know that we really value their reports and prioritise them (which we do!).
Building these relationships makes our security team more effective. Whenever we release a new product, or publish a new API endpoint, I know there are a handful of credible people that will scan and try to break it. And if they do, they submit a report which will be higher quality than most others we receive, and we will prioritise investigation and remediation. We also provide them direction too — if they’re credible, we point them at areas of our product that we think might be higher risk.
By far, the best part of relationship building is the people — completely changing how I see bug bounty hunters…
Enter, Siddharth.
Siddharth is a college student from India, currently studying computer systems engineering. During COVID, he found himself unable to go to university, and had a lot of time at home. He found APPSEC/penetration testing interesting, and started teaching himself.
In 2021, Siddharth submitted a couple of bug reports to our bug bounty program. His reports were better written than most, and the bugs combined different APIs in ways that we hadn’t thought about. After we reviewed and rewarded these reports, I hopped on a Zoom call with him, chatted about his background and what his goals were, and asked how we could help him find more bugs and earn more bounties. I pointed him towards some services that we had recently published, and he started producing non-vulnerability reports too — reports showing what he tried and what didn’t work.
It quickly became clear that we were getting a lot of benefit from the attention, so we brought Siddharth onboard to pen-test our products for a fixed number of hours per week.
Instead of rewarding bounties per finding, we pay him a fixed rate, and we get more value — we don’t just get bug reports, but also routine reports about where there doesn’t seem to be any bugs. We also connected him with other members of our engineering team so that he can explain how he found each bug directly, and he can ask them questions about how our services work to find more complex and valuable bugs.
While chatting with Siddharth, I asked him what he was planning to do after he graduates from university. His response was that he plans to move overseas to complete his masters degree in penetration testing and application security — and his bug bounty rewards are going directly to his university fees.
It’s easy for us to reduce bug bounty reports down to an email address and a bug. But we need to remember that there’s a human on the other side. Effort needs to be reciprocated, and if someone takes the time to improve the security of your product and/or company, it’s worth taking time to get to know them.
In security, we lament that we’re all deeply under-resourced. Spending time to engage with credible people — whether an interview, at a recruiting event, or someone submitting a bug report to your bug bounty program — is a low-cost, and high-value way to help reduce the pressure. Even if they’re not a great fit for your team, or you don’t have headcount to hire them, we’re still able to collectively increase the number and quality of security people in the world by simply engaging.
Overall, getting to know the bug bounty hunters who are putting in effort pays far more than just security gains. Building relationships has brought bug bounty reporters closer to our teams, ultimately building more value.
It’s a great way to find and grow talent, wherever they are in the world, and get even more value out of your bug bounty program.
Conclusion
To wrap up this three part series on setting up your bug bounty program:
- Bug bounty programs aren’t as simple as you might like, but when done right they’re high impact and relatively low cost
- Make sure you set clear bug bounty terms (internally and externally) from day one
- Set internal guidelines for how much you’re willing to pay for bugs of a given severity. It’s better to have these before you get the reports
- Don’t waste time on beg bounties — automated response emails are your friend, and time is likely your most scarce resource
- Build relationships with the bug bounty hunters who are making an effort. Symbiotic relationships will have the best and most impactful results.
