Bug Bounty Program
What is a Bug Bounty Program?
A bug bounty program is a crowd-sourcing initiative that allows an individual to earn rewards by discovering and reporting software bugs or vulnerabilities with potential to be exploited. Most organizations who often search for services through a bug bounty program are looking to perform internal code audits and pen-tests to analyze the organization’s vulnerability management plans and strategies.
Ethical hackers can support you in detecting vulnerabilities in your business before the bad guys find your weaknesses, running a bug bounty program is a smart way to find software or configuration errors that hide from developers and security teams before they lead to a massive fallout.
The submitted bug reports by the hacker usually includes enough information for the organization (the one paying the payout amount) to able to reproduce the scenario where the vulnerability will be showing.
Bug bounty program lifecycle
1. Bug bounty brief
The company or business will select the bounty platform like Bug Zero, they will create a brief on the rules of researcher engagement, information about them, what they are concerned with ( what they are looking for and what they are not looking for), pricing levels.
2. Program launch
The company publishes the brief on the chosen bounty page.
3. Start of the program
Marks the security testing of the software, detecting bugs and reporting them. The report should include how to exploit the detected vulnerability in detail, and it should be submitted only through the chosen platform.
4. Triage team
The bug bounty platform includes an in-house cyber-security triage team. The team consists of high-profile specialists and skills personnel who can verify whether the bugs reported are accurate and define what level of security the company will need.
5. Fixing the bugs
After the company receives the detailed report and the fix, the researcher who found the bug will receive the payment and at the end of the process his/hers reputation points will be modified accordingly.
Advantages of Bug Bounty Programs
Bug bounties are open for continuous testing. Each time you make a change or add new functionality, it will be evaluated without having to sign up or wait for your next penetration test. This allows you to constantly have an up-to-date understanding of your risk.
If your organization signs up for a bug bounty program, you will likely have several experts in specific vulnerabilities evaluating your application/network since bug bounty hunters are paid not for the amount of work they do, but rather for the vulnerabilities they discover.
You will have 1000s of testers evaluating your program. With more testers there is more of a chance to explore every vulnerability and it will multiply the potential manpower of traditional security assessment methods.
Companies with traditional testing methods usually have to pay for the effort required for testing while ignoring whatever the results were found. But bug bounties utilize a pay for results model, ensuring that only valid results are paid rather than effort.
Creates a culture that is more open towards information security practices.
TABLE OF CONTENTS
Last updated
