SlideShare a Scribd company logo

5 Tips to Successfully Running a Bug Bounty Program

bugcrowd, profile picture
bugcrowd

The document outlines five key tips for running a successful bug bounty program, emphasizing the importance of preparation, aligning expectations, and maintaining communication with researchers. It highlights the need to reward submitters for changes and to respect the researchers' efforts in order to foster a productive relationship. Additionally, the document addresses common concerns and misconceptions about implementing bug bounty programs, providing insights into their effectiveness compared to traditional penetration testing.

Internet
Related topics:
Application Security Security Testing Internet Security
1 of 18
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
! ! 5 TIPS FOR A SUCCESSFUL BUG BOUNTY The premier platform for crowdsourced cybersecurity. casey@bugcrowd.com jcran@bugcrowd.com
! All content (c) Bugcrowd Inc, 2014 - All rights reserved. the problem Without crowdsourcing, security is not a fair fight. HACKED HACKED HACKED HACKED HACKED HACKED
! All content (c) Bugcrowd Inc, 2014 - All rights reserved. about your presenters @caseyjohnellis Founder and CEO, Bugcrowd Recovering pentester turned solution architect turned sales guy turned entrepreneur Founder and CEO of Bugcrowd @jcran VP Delivery, Bugcrowd Bugcrowd bounty hunter turned Bugcrowd employee. Former positions with @Rapid7, @Metasploit, @PwnieExpress
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Why aren’t you running one already? “I don’t have resources now, let alone to do this.” Crowdcontrol was built to maximize the efficiency of a bug bounty, and we a triage team of 8 people. “I can’t cap my spend.” Bugcrowd Flex let’s you run a point in time or ongoing bug bounty with a capped cost. “I won’t be able to pause or stop the program if I ever need to.” We can route researcher traffic through the Crowdcontrol Sandbox for total control. “Payments to all those countries would be a nightmare.” It totally is. That’s why we got good at it, so you don’t have to. “I won’t be able to tell whether it’s bounty traffic or an actual attack.” The Crowdcontrol Sandbox gives a single source IP, so you can. “I won’t know who these people are.” Bugcrowd’s Elite tier have proven track record on public bounties, and we vet them into that tier.
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. bug bounties are awesome, but hard.
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. bugcrowd at Work Crowdsourced security to fit your needs Free Responsible Disclosure Capped cost Ad-hoc or continuous Elite tier researchers Flex Bounty Continuous testing Monthly fee + transaction fee Bug Bounty
! All content (c) Bugcrowd Inc, 2014 - All rights reserved. DOES IT WORK? Traditional penetration test Bugcrowd Flex Cost $20,000 $20,000 # of researchers 1 349 Manhours 80 80… in the first 8 elapsed hours Vulnerabilities 5 38 P1 issues 0 7
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. the one mistake everyone makes • People assume that 80% of the work will go into dealing with the new vulnerabilities they’ve found out about. • 80% of the work goes into dealing with the people. • If you don’t factor this into your planning, your program will fail.
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. 5 Keys to a successful program • Prepare ahead of time • Align expectations • Communicate early and often • If you make a change, reward the submitter • Respect the researcher
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Preparation • A bug bounty will affect your entire organization • Start with low rewards • Accidental bug bounties are the worst • Running out of budget on the program is no fun
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Align expectations • A clear program brief is your first line of communication • Proactively communicate what you’d like to see • When processing submissions, you should be able to point to prior communication when rejecting or rewarding a submission • The only time you’ll have issues is if an expectation goes unmet
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Communicate early and often • This is the mistake everyone makes:! • Bug bounties are all about managing the researcher relationship! • Let the researcher know what to expect. Stick to your word • In the absence of communication, suspicion is king • It’s not hard, but requires diligence
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Make a change, reward the submitter • “Touch the code, pay the bug” • This has become a community norm • It’s a binary yes / no • Even if its out of scope
CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Respect the researcher • The researcher is taking a significant risk • Many are inexperienced, some are not • Treat everyone the same. Even the researchers that don’t provide valuable submissions • Close the loop on all incoming submissions
Questions?
Want a demo? Ping us!!!
@caseyjohnellis and @jcran https://bugcrowd.com casey@bugcrowd.com jcran@bugcrowd.com

More Related Content

PDF
Bug bounty programs
Dan Vasile
 
PPTX
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
PDF
How to run a kick ass bug bounty program - Node Summit 2013
bugcrowd
 
PDF
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
PDF
Bug Bounty - Hackers Job
Arbin Godar
 
PPTX
7 Bug Bounty Myths, BUSTED
bugcrowd
 
PDF
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
PDF
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Bug bounty programs
Dan Vasile
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bugcrowd
 
How to run a kick ass bug bounty program - Node Summit 2013
bugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
Bug Bounty - Hackers Job
Arbin Godar
 
7 Bug Bounty Myths, BUSTED
bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 

What's hot (20)

PPTX
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bugcrowd
 
PDF
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
PDF
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
PPTX
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bugcrowd
 
PDF
Hackfest presentation.pptx
Peter Yaworski
 
PPTX
Bug Bounty - Play For Money
Shubham Gupta
 
PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
PDF
Revitalizing Product Securtiy at Zephyr Health
bugcrowd
 
PDF
Key Takeaways from Instructure's Successful Bug Bounty Program
bugcrowd
 
PDF
Understanding Information Security Assessment Types
HackerOne
 
PDF
Shifting left: Continuous testing for better app quality and security
NowSecure
 
PDF
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
PDF
Deception in Cyber Security (League of Women in Cyber Security)
Phillip Maddux
 
PDF
Make it Fixable, Living with Risk (Paranoia 2017)
Patricia Aas
 
PDF
Make it Fixable (Security Divas 2017)
Patricia Aas
 
PPTX
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
PDF
Simplified Security Code Review Process
Sherif Koussa
 
PPTX
Continuous security testing - sharing responsibility
VodqaBLR
 
PDF
Amateur Hour: Why APTs Are The Least Of Your Worries
Ed Bellis
 
PDF
Blue team reboot - HackFest
Haydn Johnson
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
bugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
bugcrowd
 
Hackfest presentation.pptx
Peter Yaworski
 
Bug Bounty - Play For Money
Shubham Gupta
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
Revitalizing Product Securtiy at Zephyr Health
bugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
bugcrowd
 
Understanding Information Security Assessment Types
HackerOne
 
Shifting left: Continuous testing for better app quality and security
NowSecure
 
A Journey Into Pen-tester land: Myths or Facts!
Ammar WK
 
Deception in Cyber Security (League of Women in Cyber Security)
Phillip Maddux
 
Make it Fixable, Living with Risk (Paranoia 2017)
Patricia Aas
 
Make it Fixable (Security Divas 2017)
Patricia Aas
 
A bug's life - Decoupled Drupal Security and Vulnerability Management
Balázs Tatár
 
Simplified Security Code Review Process
Sherif Koussa
 
Continuous security testing - sharing responsibility
VodqaBLR
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Ed Bellis
 
Blue team reboot - HackFest
Haydn Johnson
 
Ad

Viewers also liked (6)

PPTX
Bug bounty
n|u - The Open Security Community
 
PPTX
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
Abhijeth D
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
PPTX
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
PPTX
Bug Bounty for - Beginners
Himanshu Kumar Das
 
PPTX
DevOps and Application Security
Shahee Mirza
 
Bug bounty
n|u - The Open Security Community
 
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
Abhijeth D
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Post XSS Exploitation : Advanced Attacks and Remedies
Adwiteeya Agrawal
 
Bug Bounty for - Beginners
Himanshu Kumar Das
 
DevOps and Application Security
Shahee Mirza
 
Ad

Similar to 5 Tips to Successfully Running a Bug Bounty Program (20)

DOCX
Earn Money from bug bounty
Jay Nagar
 
PPTX
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
PPTX
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
PDF
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Lounge47
 
PPTX
2010 08 19 The Lean Startup TechAviv
Eric Ries
 
PPT
Bug Advocacy
Deepu S Nath
 
PDF
Seven Deadly Habits of Ineffective Software Managers
TechWell
 
PDF
Is it Safe? measuring product security goodness
Justin Berman
 
PPTX
2010 10 19 the lean startup workshop for i_gap ireland
Eric Ries
 
PDF
Beyond the Hack
plaurie
 
PPTX
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
Eric Ries
 
PDF
10 Steps to Great Content
Atomic Reach
 
PPTX
2009 10 28 The Lean Startup In Paris
Eric Ries
 
PDF
Agile Metrics to Boost Software Quality improvement
XBOSoft
 
PDF
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
PDF
apidays LIVE LONDON - How to spot a Zombie Developer Portal by Allan Knabe
apidays
 
PDF
BSides LA/PDX
leifdreizler
 
PDF
Fundamentals of crowdsourced testing
Nicholas Roberts
 
PDF
Mobile Apps 101
Matt Tanner
 
PDF
Developers are easy to sell to
Austin Gunter
 
Earn Money from bug bounty
Jay Nagar
 
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Bug Bounty #Defconlucknow2016
Shubham Gupta
 
Vivint Wireless How to De-Risk a New Venture & Build a Better ISP - Luke L...
Lounge47
 
2010 08 19 The Lean Startup TechAviv
Eric Ries
 
Bug Advocacy
Deepu S Nath
 
Seven Deadly Habits of Ineffective Software Managers
TechWell
 
Is it Safe? measuring product security goodness
Justin Berman
 
2010 10 19 the lean startup workshop for i_gap ireland
Eric Ries
 
Beyond the Hack
plaurie
 
2010 04 28 The Lean Startup webinar for the Lean Enterprise Institute
Eric Ries
 
10 Steps to Great Content
Atomic Reach
 
2009 10 28 The Lean Startup In Paris
Eric Ries
 
Agile Metrics to Boost Software Quality improvement
XBOSoft
 
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
apidays LIVE LONDON - How to spot a Zombie Developer Portal by Allan Knabe
apidays
 
BSides LA/PDX
leifdreizler
 
Fundamentals of crowdsourced testing
Nicholas Roberts
 
Mobile Apps 101
Matt Tanner
 
Developers are easy to sell to
Austin Gunter
 

More from bugcrowd (9)

PDF
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bugcrowd
 
PPTX
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bugcrowd
 
PDF
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
PDF
If You Can't Beat 'Em, Join 'Em
bugcrowd
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
PPTX
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bugcrowd
 
PDF
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
bugcrowd
 
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
bugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
bugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
bugcrowd
 
If You Can't Beat 'Em, Join 'Em
bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
bugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 

Recently uploaded (20)

PPTX
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
PDF
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
June-4-Sermon-Powerpoint.pptx USE THIS FOR YOUR MOTIVATION
KuyaRogie
 
Internet___Basics___Styled_ presentation
poonam62133
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
How to Ensure Data Integrity During Shopify Migration_ Best Practices for Sec...
CartCoders
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
Funds Management Learning Material for Beg
NKKumar16
 
Testing WebRTC applications at scale.pdf
Giacomo Vacca
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Tenda Login Guide: Access Your Router in 5 Easy Steps
tendawifi16
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
artificial intelligence overview of it and more
yafotin445
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 

5 Tips to Successfully Running a Bug Bounty Program

  • 1. ! ! 5 TIPS FOR A SUCCESSFUL BUG BOUNTY The premier platform for crowdsourced cybersecurity. casey@bugcrowd.com jcran@bugcrowd.com
  • 2. ! All content (c) Bugcrowd Inc, 2014 - All rights reserved. the problem Without crowdsourcing, security is not a fair fight. HACKED HACKED HACKED HACKED HACKED HACKED
  • 3. ! All content (c) Bugcrowd Inc, 2014 - All rights reserved. about your presenters @caseyjohnellis Founder and CEO, Bugcrowd Recovering pentester turned solution architect turned sales guy turned entrepreneur Founder and CEO of Bugcrowd @jcran VP Delivery, Bugcrowd Bugcrowd bounty hunter turned Bugcrowd employee. Former positions with @Rapid7, @Metasploit, @PwnieExpress
  • 4. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Why aren’t you running one already? “I don’t have resources now, let alone to do this.” Crowdcontrol was built to maximize the efficiency of a bug bounty, and we a triage team of 8 people. “I can’t cap my spend.” Bugcrowd Flex let’s you run a point in time or ongoing bug bounty with a capped cost. “I won’t be able to pause or stop the program if I ever need to.” We can route researcher traffic through the Crowdcontrol Sandbox for total control. “Payments to all those countries would be a nightmare.” It totally is. That’s why we got good at it, so you don’t have to. “I won’t be able to tell whether it’s bounty traffic or an actual attack.” The Crowdcontrol Sandbox gives a single source IP, so you can. “I won’t know who these people are.” Bugcrowd’s Elite tier have proven track record on public bounties, and we vet them into that tier.
  • 5. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. bug bounties are awesome, but hard.
  • 6. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. bugcrowd at Work Crowdsourced security to fit your needs Free Responsible Disclosure Capped cost Ad-hoc or continuous Elite tier researchers Flex Bounty Continuous testing Monthly fee + transaction fee Bug Bounty
  • 7. ! All content (c) Bugcrowd Inc, 2014 - All rights reserved. DOES IT WORK? Traditional penetration test Bugcrowd Flex Cost $20,000 $20,000 # of researchers 1 349 Manhours 80 80… in the first 8 elapsed hours Vulnerabilities 5 38 P1 issues 0 7
  • 8. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. the one mistake everyone makes • People assume that 80% of the work will go into dealing with the new vulnerabilities they’ve found out about. • 80% of the work goes into dealing with the people. • If you don’t factor this into your planning, your program will fail.
  • 9. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. 5 Keys to a successful program • Prepare ahead of time • Align expectations • Communicate early and often • If you make a change, reward the submitter • Respect the researcher
  • 10. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Preparation • A bug bounty will affect your entire organization • Start with low rewards • Accidental bug bounties are the worst • Running out of budget on the program is no fun
  • 11. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Align expectations • A clear program brief is your first line of communication • Proactively communicate what you’d like to see • When processing submissions, you should be able to point to prior communication when rejecting or rewarding a submission • The only time you’ll have issues is if an expectation goes unmet
  • 12. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved.
  • 13. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Communicate early and often • This is the mistake everyone makes:! • Bug bounties are all about managing the researcher relationship! • Let the researcher know what to expect. Stick to your word • In the absence of communication, suspicion is king • It’s not hard, but requires diligence
  • 14. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Make a change, reward the submitter • “Touch the code, pay the bug” • This has become a community norm • It’s a binary yes / no • Even if its out of scope
  • 15. CONFIDENTIAL. DO NOT DISTRIBUTE. All content (c) Bugcrowd Inc, 2014 - All rights reserved. Respect the researcher • The researcher is taking a significant risk • Many are inexperienced, some are not • Treat everyone the same. Even the researchers that don’t provide valuable submissions • Close the loop on all incoming submissions