With this two-part weblog sequence, we’ll delve into methods and techniques exhibited by dozens of enterprise prospects over a number of years that can optimize the effectiveness of your bug bounty program.
This text will look at the three most essential steps to contemplate when designing an efficient technique for a public or non-public bug bounty program.
Step 1: Outline Program Success
Our new prospects typically say, “we want to receive lots of critical bugs.” The aim of a bounty program ought to focus on decreasing threat—however this doesn’t at all times imply specializing in solely discovering excessive Widespread Vulnerability Scoring System (CVSS) base rating bugs. Ways in which bug bounty can present worth past high-severity bugs embrace:
- Decrease severity bugs chained together that allow a better severity report.
- The “discoverability” or how apparent a vulnerability is from the surface
- Asset discovery.
- Bug repair validation to verify remediation and search for bypasses.
Each group ought to outline the targets for his or her program’s success. Think about the property to be positioned in scope, your group’s trade and enterprise mannequin, controls or safety testing already in place, and useful resource (time, cash, and personnel) constraints.
After all, report severity and quantity additionally play a job in program success. Normally, what applications must be aiming to do is encourage moral hackers to submit vulnerabilities with enterprise influence (CVSS base rating + environmental rating) and reward hackers accordingly.
Aligning a bounty program’s reward table with true enterprise influence is vital to demonstrating a excessive return on funding (ROI) to stakeholders.
Step 2: Set KPIs and Keep on with Them
Bounty applications ought to use key efficiency indicators (KPIs) to outline and measure success. Generally used metrics for HackerOne prospects embrace:
- Quantity of duplicate stories
- Distribution of weak point sorts on particular person property or programs
- Imply Time to Resolve (MTTR)
Every of those metrics might help affirm success or trace at underlying points in a corporation’s safety posture. For instance, a given weak point sort showing disproportionately on a single product line throughout an assault floor could also be indicative of a design flaw or dependency situation. Relying in your group’s wants, there are lots of extra doable KPIs you might use to take care of an environment friendly, efficient program that helps cybersecurity goals. Nevertheless, should you’re not sure, the three KPIs listed above are a good starting point.
The very best run bug bounty applications at peak maturity give attention to soliciting novel and elusive (“NoEl”) vulnerabilities. These are the forms of bugs that no automated software or pentest methodology would possible uncover, resembling superior enterprise logic points, bug chains, and uncommon weak point sorts. Quantifying and monitoring these kind of bugs are an instance of a extra superior program well being metric.
It doesn’t matter what stage your program operates at, when complete safety controls are in place (e.g., DevSecOps, full buy-in from stakeholders, hardened assault floor, and many others.) program managers will be assured in elevating bounty ranges and including further assault floor to their program scope. These actions will appeal to more and more expert hackers and safety researchers able to find NoEl bugs or zero day vulnerabilities with advanced approaches, customized instruments, and little-known strategies.
Step 3: Perceive The place Bug Bounty Matches
Prime applications use bug bounty as a compass—a software to assist navigate an assault floor to seek out gaps in safety testing protection. Prime-tier safety groups leverage bounty applications as a efficiency monitoring system for his or her inner safety technique and a security web that robotically deploys when different safety testing programs and processes fail.
Bugs that slip via to manufacturing can be utilized to establish and resolve underlying challenges in safety applications. By means of the output of a bug bounty program, enchancment alternatives will be recognized within the software program growth life cycle (SDLC) to implement or bolster controls resembling:
Some applications contain pre-production environments as properly. This isn’t preferrred however is likely to be executed for a lot of causes resembling hacker engagement, regulatory necessities, and even as an added layer of scrutiny and testing. When you can’t check manufacturing, think about a devoted, mirrored testing setting as a substitute or attempt to embrace different areas of crowdsourced safety power like new product releases, scattered secrets and techniques, or asset discovery on ever-changing assault floor.
Regardless of the place it’s carried out, a well-integrated bug bounty program pinpoints challenges throughout the total vulnerability administration panorama, together with remediation practices, SLAs, stakeholder relationships, and pentesting habits. By studying from the outputs of KPIs, a corporation can systematically tighten its safety controls to the purpose the place NoEl bugs turn out to be a extra steadily reported class of vulnerability.
Stage Up Your Bug Bounty Technique
Designing, managing, and refining a program will be difficult, significantly in case your group is new to bug bounty.
HackerOne’s knowledgeable safety advisors might help you uncover alternatives for enchancment. Advisors provide bespoke engagement plans based mostly on a program’s goals and KPIs. Every plan constructed by the advisors is dynamic, harnessing the suggestions loop they supply along with reported vulnerabilities. Based mostly on these inputs, HackerOne advisors can advocate new or augmented safety practices that can assist to forestall much less refined vulnerabilities from slipping into dwell environments.
HackerOne’s Safety Advisory Providers already work with safety groups from Amazon, the U.S. Division of Protection, Hyatt, Goldman Sachs, and the U.Okay. Ministry of Defence to construct a set of ready-to-go initiatives and assist implement them according to enterprise priorities.
To seek out out extra about how a totally managed bug bounty or vulnerability disclosure program might help you deal with the safety expertise scarcity, deal with visibility gaps inside your safety program, and minimize down on remediation occasions by as much as 8x, take a look at The Executive Guide to Human Security Testing.
Author: Will Kapcio
Date: 2023-02-23 12:00:00
