Hacker Engagement
First impressions matter! Win hackers over early on and create “anchor” hackers – program stalwarts that be taught all in regards to the goal group and preserve coming again to hack extra. Make their end-to-end expertise nice: current a easy take a look at plan, reply shortly and clearly, and award bonuses for extraordinary work.
A strong program testing plan considers how a lot time it takes to arrange or entry the testing surroundings and what obstacles would possibly current themselves in that surroundings. The setup course of needs to be as fast and painless as doable – time spent in setup is time hackers may lose curiosity, take a look at different packages, and not hack. Obstacles take the type of options that require spending actual cash, enroll processes that require actual hacker PII, knowledge integrity/confidentiality considerations, and rather more. Each scope requires a barely completely different strategy, which is why HackerOne consists of advisory services to assist reply questions like these. Ask: if I have been a hacker, would I wish to take part on this program? Is the setup price my time and vitality for the potential reward?
Holding all sorts of hackers engaged over time is essential too. Returning hackers ought to get pleasure from consistency, readability, and transparency in all interactions and bounty selections, however how can a program entice recent hacker eyes and expertise? There are a variety of methods to maintain hacker engagement regular:
- Scope changes
- Restricted-time incentive boosts (i.e. bounty multipliers)
- New software program releases or different vital updates
- New applied sciences in use
- Further options and entry increase
- New/up to date credentials (for authenticated testing)
Fee is in fact central to a bug bounty program. Going above and past for hackers who make an distinctive effort of their bug reviews is at all times appreciated. Conditions could come up the place the severity of the report may arguably be Excessive or Crucial (similar to studying PII) – in these circumstances a bonus is a superb software to assist discover center floor within the reward choice.
To cite HackerOne’s CISO and Chief Hacking Officer Chris Evans: “pay for value!”
Automation Alternatives
Bug bounty packages can contain loads of tedium however thankfully additionally provide loads of alternative for automation. Sturdy vulnerability administration processes can assist even the largest bug bounty packages keep on high of vulnerability report submissions.
Routing of reviews to inner stakeholders is essential to making sure bugs are remediated in a well timed trend. Each group has a unique workflow that makes use of a combination of software program and processes to perform this. Areas that apply universally and will profit from automation embody:
- Computerized responses to hackers based mostly on key phrases (at HackerOne we name these triggers)
- Labeling of the reviews by product line, enterprise unit, geographic area, and so forth.
- Escalation paths based mostly on severity
- SLA reminders
HackerOne can assist scale back workloads on safety groups not simply with companies like Triage, but in addition by easy ticketing and notification integrations. Think about who must learn about vulnerability reviews, the place they should go, and learn how to scale back guide processes alongside the best way.
Program Insights
A safety group that isn’t studying from its bug bounty program is lacking out on useful data. The content material of reviews, hacker engagement statistics, and time to last remediation all provide useful insights on the well being of a bug bounty program (and subsequently its effectivity in decreasing danger at a corporation).
There are many methods to investigate bug reviews: by quantity, by weak point kind, by severity, and extra. Low quantity can happen for quite a lot of causes similar to low incentives, a small assault floor, or an onerous setup (hacker surveys provide an opportunity to collect high quality insights). However going a degree deeper than superficial statistics can showcase what’s actually occurring:
- Plenty of duplicate reviews would possibly point out a damaged suggestions mechanism
- Excessive CVE-based report depend may imply an ineffective scanning setup
- Inapplicable reviews might be the results of poor hacker directions
Points like these would possibly imply going again to the bounty strategy drawing board and bettering cross-functional alignment.
Higher hacker engagement means higher outcomes, so understanding success and program well being on this space is a should. A program ought to know what number of distinctive hackers are submitting reviews, have submitted efficiently resolved reviews, are being paid bounties, depend of returning hackers in subsequent weeks or months, and naturally who the highest hackers are. Metrics like these be certain that a program is taking full benefit of the bug bounty mannequin’s strengths by receiving constant, various expertise influxes and preserving excessive performing hackers .
Imply Time to Resolve (MTTR) is a key metric in any bug bounty program. It’s nice to seek out bugs, it’s even higher to repair them on time! Alongside the best way to bug remediation are steps similar to preliminary acceptance, full validation/replication, right labeling/routing of reviews, implementation of the repair, and retesting, any one in every of which will be the wrongdoer of a poor MTTR at a corporation. Ceaselessly missed SLAs could also be an indication of lingering danger and lack of assets. Setting reasonable SLAs and sticking to them may be powerful however the danger diminished is properly definitely worth the effort.
Driving Enchancment
Not all bug bounty packages are equally efficient at decreasing danger and managing attack resistance. What units the very best packages aside is the execution of those three vital areas.
If you want to listen to extra about how different high-functioning bug bounty packages function, on Tuesday, April 18th at 8am PT/11am ETHackerOne area specialists will share their firsthand expertise planning bug bounty packages for quite a lot of private and non-private sector organizations. Our audio system will share foundational greatest practices exhibited by our most mature bug bounty packages together with pre-launch milestones, to day-to-day operational areas that guarantee most outcomes. Click here to register for the stay webinar.
Author: Will Kapcio
Date: 2023-03-14 12:00:00
