At Black Hat 2017 in Las Vegas today, a panel of experts gathered to discuss the concept of bug bounty programs and share their experiences with running these within their respective companies.
Moderator
Kymberlee Price (KP), Microsoft
Panel
Angelo Prado (AP), director of product security, Salesforce
Charles Valentine (CV), VP of technology services, indeed
Lori Rangel (LR), director of product, Silent Circle
Getting proceedings underway, panel moderator Price asked each speaker to share a few words on the worth of bug bounty programs to their organizations.
AP: One of the interesting things about the bug bounty concept is that you pay by performance, so I absolutely think it is worthwhile.
CV: We think the bug bounty is worth it. We pay to use an external vendor to manage our bug bounty program. We were pretty small when we started and so didn’t have the staff to run our own bug bounty. It helps take the work load off of us and we still see very high value in the program.
LR: When you’re starting a startup you may not have the resources to have large internal security teams, so we value our bounty programs as an augmented security team.
KP: What are the best practices for running a bug bounty program?
LR: I’m going to harp all day about research community outreach, it’s super important to go out and talk to the community and find out what motivates them. Find out what their concerns are and that really builds your reputation as well.
CV: I think what we noticed immediately is that the researchers are not a business; it’s an individual you’re talking with. Have somebody in place who has really good customer service skills to be able to communicate with that external person and bring it to a human level. Also, recognize when it’s time to increase your bounties.
AP: When you’re convincing your organization to open a bug bounty program, one of the key things you need is to have a very mature set of individuals who are able to understand risk and ready to address any vulnerabilities that come their way.
KP: How do you compete for talent when bug bounty programs are becoming more and more popular?
CV: The payouts need to be rational for the work that’s happening. Establish a reputation and be very clear in your program about what you will pay and why.
LR: As far as competition goes, you’ve got to get creative. If the monetary value isn’t there you can still give recognition in other ways, so you’ve got to get a little creative.
KP: Do you have a disclosure policy? Does your program allow for disclosure?
CV: We do allow disclosure, after we’ve fixed of course. In practice very few folks have asked to disclose details, and in the cases where they have they were very reasonable and worked with us. Our experience has been very positive when a researcher has asked to disclose.
LR: Officially, our scope does not allow for public disclosure, but we have made some exceptions in the past for that, simply because it affected our mission critical applications or it had a wider impact. So we felt it was important to get that message out into the public. It’s always been a really positive interaction with the researchers so I would continue to do that on a case-by-case basis.
KP: At what point in the process do you reward the researcher for discovering the vulnerability?
CV: We reward when we have identified that it is a problem and that it is correct—when we feel like the researcher’s work is done.
LR: We definitely have a two-step process. We have our frontline communications and then an internal discussion about the value and the impact of the issue, and at that point is when we go back and pay the researchers, sometimes before we’ve resolved the problem.