As cyber risk continues to grow, so must an organization’s vigilance. An increasing element of this mission is hiring white-hat hackers to discover previously unknown vulnerabilities. For a long time, penetration tests were the standard method of using simulated attacks to uncover exposure areas. More recently, red teaming exercises have gained momentum as an additional protection measure. Looking ahead, the next layer of must-have, proactive security controls will be bug bounty programs.
With bug bounty programs, the size of the team looking for vulnerabilities is more closely aligned with the expansiveness of an organization’s digital footprint. This is achieved, not by formally hiring a massive cadre of security researchers, but by crowdsourcing this expertise through a formal program and offering bounties for bugs found. In this case, individuals act independently to find a company’s zero day vulnerabilities, earning money and recognition in exchange for their discoveries.
In 2018, we at Stroz Friedberg predict companies beyond those in the highest risk sectors, such as technology and finance, will introduce bug bounty programs. Specifically, the next wave of adopters will be businesses such as airlines, retailers, and hospitality providers that run loyalty, gift, and rewards programs. Criminals are increasingly targeting businesses that use points as currency, because they are finding it harder to compromise chip-based credit card transactions. The industries affected by these types of card-not-present attacks will look toward bug bounty programs for help.
To initialize your own bug bounty program, preparation is key. Below are 10 actionable steps you can take to get started.
Step 1. Launch a vulnerability disclosure program without monetary benefits:
A vulnerability disclosure program is a well-defined mechanism outsiders can use to safely report security findings to the security team. Setting one up without payouts attracts fewer participants and can be used to launch the program at a smaller scale. It allows security teams to get the feel of receiving input from people outside of the fold.
This preliminary step is important because it will provide you a glimpse into how many complex issues would be present in a full-fledged bug bounty program. These issues include how to respond to the disclosures, the escalation process, and challenges with remediation.
Step 2. Carefully craft and communicate the scope and pricing of your program:
The rules for a bug bounty program must be clearly defined for all participants. Clear communications help ensure that the organization gets what it wants out of the program and that the participants are satisfied because they will have accurate expectations of the process and payment. Rule violators should not be allowed to participate. The most important aspects to define are:
- Program scope: What kinds of bugs are you looking for? Are there parts of the infrastructure (application or network) that are off-limits? Any attack that may affect availability that you may not want to incentivize.
- Pricing: The price paid for vulnerabilities has to balance two factors. First, it must match or exceed their value on the black market—after all, you want your researchers reporting their findings to you, not to criminals. Second, the program must be affordable to run, providing a return on investment. The best strategy is to measure rewards based on the potential impact of the vulnerability discovered and by matching different levels of impact to reward values.
Step 3. Decide on a public or private program:
The more people looking for bugs in your system, the more submissions you are going to get. That sounds like a good thing, but it comes with challenges. More submissions mean you have to provide more responses, evaluate more discoveries, validate more findings, quickly remediate more valid vulnerabilities, and manage payments to more individuals. Also, with more activity on the network and endpoints, you have to keep a keen eye to determine whether it is legitimate bounty hunters or malicious actors. In short, a public program where anyone in the world can participate takes many more resources to conduct than one with a limited pool of participants that have been carefully vetted and selected through a private program.
Step 4. Set up a testing environment dedicated to the program:
Establish an isolated, segregated, and well-segmented test environment for the bug bounty program. This bug bounty test environment (BBTE) should not have any links to the organization’s Dev/QA/Prod environments to avoid any impact to business. Additionally, the dedicated testing environment would also reduce the chances of commingling production data with test data. No residual artifacts such as accounts or data from the Dev/QA/Prod environments should be in the testing environment to mitigate the risk of them being used for malicious purposes. You do not want to turn your bug bounty program into a reconnaissance activity for attackers.
Step 5. Plan for blackout dates and quiet periods:
The program may need blackout dates when you do not want outsiders testing your code and quiet periods following bug discovery to ensure resolution before the bug is publicized. Changes/updates may also require time for internal due diligence activities before being made available for public testing.
If you do not have a solid BBTE, consider additional blackout dates including weekly change management windows, annual change-freeze windows, and product release lifecycles. These will help minimize the impact to the neighboring environments and allow stakeholders to dedicate more time to key business changes.
Step 6. Gain support from the C-suite, legal team, communications department, developers, security monitoring team, and others:
A bug bounty program involves many company departments. It needs the executive team to provide financial support for administrative costs and bounties; it needs human resources to oversee employment and tax-related tasks such as sending 1099 forms; it needs communications and marketing assistance to publicize the program; it needs legal assistance for writing contracts, such as those that define the program and the company’s relationship with bounty hunters; it needs developers willing to incorporate bug fixes into new software versions; and it needs the security monitoring team to build additional detection capabilities for the production environment, while the relevant team rolls out a patch. Given that cyber risk is an enterprise-wide risk, a bug bounty program involves many of the cost-centers of a business.
Step 7. Start with a small-scale test:
Before launching the bug bounty program, test it with a limited pool of bug bounty hunters, a limited scope of the environment, and a limited budget. This way, adjustments can be made to the program before widespread roll-out.
Step 8. Hire sufficient staff:
For a bug bounty program to be effective, an organization needs enough technology and administrative staff to support it. The IT team or Information Security team may not have availability to support a full time bug-bounty program in addition to their business-as-usual responsibilities.
Step 9. Market the program:
If the bug bounty program is public, it must be marketed like any other product, service, or job opening to attract the right talent. Identify websites, schools, and other venues where security researchers congregate and communicate to them in a way that attracts their curiosity and problem-solving skills.
Step 10. Be ready to act on the disclosures:
This may be the most important step. When you learn of a critical bug, this knowledge can quickly turn into a liability if the issue is not rapidly resolved. Without remediation readiness, your risk management program could flip and actually introduce risk.
Bug bounty programs are positioned to become another must-have element of many enterprises’ security programs. As it has been the case with so many other new types of cybersecurity protections, adoption starts with the highest risk entities, as it already has, and it will trickle down to more types of businesses, ultimately becoming something most organizations are expected to have in order to demonstrate that they have done everything possible to protect against cyber attacks. Fortunately there is help for setting up these programs. Groups like Bugcrowd assist enterprises run and manage their programs, and security consulting firms like Stroz Friedberg can help design and strategize the bug-bounty program itself.
For more on the conditions driving this trend and other cybersecurity forecasts, please see the 2018 Stroz Friedberg Predictions Report.