Bounty Reward: Your Sanity

Sep 29, 2017 | Security-GRC | 0 comments

Finding holes in your IT security the same old way may only yield the same kinds of vulnerabilities. We’ve seen more and more companies deploying not only traditional internal and external pen testing, but challenging white-hat hackers to do their worst.

A bug bounty program can poke holes in your system before the bad guys do and according to a recent report from Bugcrowd, the number of valid vulnerabilities is at an all-time industry high, over 52,000 vulnerabilities ! With that number continuing to sky-rocket, it makes sense to implement a bug bounty program which will continuously monitor your vulnerabilities.

So what exactly is a bug bounty program?

A bug bounty program consists of white-hat researchers that work around the clock to find and report vulnerabilities in exchange for rewards.

Ask yourself this: Why wouldn’t you want to have the good guys find a disastrous bug in your code? Would you rather have someone working on your behalf, or against you?

Unlike traditional pen testing or running a timely assessment, bug bounty assessments can be continuous. Penetration testing only offers a point in time snapshot of your security landscape. Today you might have 1 vulnerability, tomorrow there may be 8. The more often you run your program the more likely you will find vulnerabilities and be able to stop hackers from penetrating your system.

How should you incorporate a bug bounty program into your security landscape?

Like endpoint protection and any other possible security gaps, it’s important to recognize that vulnerabilities exist and occur regularly. By realizing you are vulnerable, you can work towards remediating these vulnerabilities before the bad guys find them.

Successful incorporation of a bug bounty program starts with defining a clear scope and focus, leaving nothing to the imagination. What are key target areas for your company? What do you want to accomplish with these vulnerability tests? A bounty’s scope informs the researchers what they can and cannot test, and points them to key areas of concern. So this part is mission critical.

It’s critical to call notice to what you don’t need tested. The most common example is things that are known risks, issues etc. Stuff that you know about and have already deemed as an acceptable business risk that way those doing the assessment do not waste time even looking at it.

Encourage good behavior and guide researchers in the right direction by accurately articulating any exclusions to your program’s scope.

Looking to rethink your pen-testing/bug-finding process? We can help from assessments to developing a full bug bounty program. We’re here to help.

View/Add comments

<script type="text/javascript" src="//platform.linkedin.com/in.js"></script><script type="in/share" data-counter="top"></script> <a href="https://twitter.com/share" class="twitter-share-button" data-via="ASMGi_CLE">Tweet</a> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^https:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>

Navigate the blog