Organizations, including the government, are realizing that IT has enough on its plate already. Asking them to also hack their own systems and discover vulnerabilities can be a little much. Bug bounty programs have proven a cost-effective solution: Just let the public do the hacking, and give payouts according to the severity of vulnerabilities uncovered. But even something as straightforward as bug bounties requires careful planning. Sarah Lai Stirland shares four tips in an article for GCN:
- Get outside help.
- Provide crystal-clear instructions.
- Analyze and remedy.
- Think it all the way through.
Hunting the Weak
Stirland’s tips have a government-centric slant, but the bones of them are applicable anywhere. For starters, it might be wise to hire a contractor to manage bug bounty programs incorporated into testing procedures. This is because it would more fully free up IT to just fix the bugs found. Otherwise, staff would spend a great deal of time rummaging through bug reports and deciphering which ones are legitimate and also not duplicates: “For example, DOD received 1,189 bug reports in the Hack the Pentagon pilot, of which only 138 qualified for payouts.”
And yes, bug bounty programs demand crippling detail in their rules, with oversight from the legal team. No hacker wants to go to prison, and no business wants to be on the hook to grant a huge payout for somebody discovering a typo. Explain at least philosophically how payouts for bugs will scale, so that hackers understand what types of bugs the business deems most significant.
When bugs are found, it is important for them to be resolved in a timely manner to avoid potentially bigger threats. And about “thinking through” the bug bounty program, Stirland offers this:
…what happens if white hat hackers find so many bugs in a project that the assigned pot of bounty money is emptied before a designated challenge period ends?
That was a question posed in a document attached to one of DOD’s RFPs for a bug bounty service. There was no clear answer from DOD officials, other than stating that the department would not consider a suspension of the challenge under those circumstances as an incompletion of the task at hand as long as DOD program managers were fully aware of the rules and payout structures from the outset.
In other words, once the organization commits to bug hunting, it needs to roll with the punches. You can view the original article here: https://gcn.com/articles/2016/11/17/bug-bounty-tips.aspx