Before you propose a bug bounty program to your organization, you need a comprehensive plan.
That’s just one of the many takeaways offered on a recent podcast from KPMG’s Advisory Institute, which publishes content related to business performance, technology, risk management, and more. In the podcast, the firm’s leading expert on cybersecurity services, Caleb Queern, explained how to make bug bounty programs successful in any organization.
We don’t mind saying that Queern’s advice is spot on, and not just because it meshes so well with our own recommendations. The Bug Bounty Field Manual provides a great roadmap for assessing and planning your path to hacker-powered security, and Queern echoes many of the manual’s themes.
So where’s the best place to begin? The assessment in our Bug Bounty Field Manual helps you understand if your organization is ready for hacker-powered security. As you move on, our advice in chapter 4 of the Bug Bounty Field Manual is to launch with a small program. KPMG’s Queern says the same. “I would encourage folks to start small and have a plan,” Queern advises. “You never just go full bore, nor start so slow and just stay there, because that’s not going to help over time.”
Starting small helps you understand what it takes to run a successful bounty program, from resources to communications to actually paying the bounties.
Chapter 2 of the Bug Bounty Field Manual gives tips on choosing a leader, building a team, and preparing for incoming bug reports. Queern’s advice, much like ours, focuses on being prepared and having resources in place.
“You need to have somebody dedicated to triaging those new things that come in the door,” advises Queern. “You need to have folks dedicated to analyzing them, and finally, folks dedicated to the rewards effort.”
Resource and capacity concerns are top of mind with many of the organizations we work with, and that’s why HackerOne offers fully-managed bug bounty programs where our experts handle communications with the hackers and triaging of incoming reports.
For organizations with available resources, we also offer the flexibility of self-managed programs, where you can use HackerOne’s best-in-class platform to manage your program internally while leveraging our experts to help manage your tests and programs when and where you need it.
There’s more to hacker-powered security than just managing your bounty program, however, and Queern makes it clear that other departments need to be involved early.
From getting your vulnerability disclosure policy in place (check out our Vulnerability Disclosure Policy Basics guide) to eventually disclosing known bugs, the Bug Bounty Field Manual’s chapter 3 shows you how to champion your program across engineering, finance, communications, and other departments.
“It sounds like common sense, but lessons learned from the front lines are that you need to have a bit of a communications program far in advance of the opening of the program,” Queern says.
Development and operations teams shouldn’t be surprised when more vulnerabilities start flowing in through the bug bounty program. Those teams, and maybe others, such as customer support, should be ready for an increase in bug volumes or people asking questions.
Tracking metrics is also critical. The Bug Bounty Field Manual’s chapter 5 looks at using bug bounty program data to uncover root causes and other systemic issues. Queern says you’ll also want to measure what’s changing over time. Without metrics, he says, you’ll have no ability to justify the program down the road when questions about the value inevitably come up.
Queern provides many more tips in the podcast and we don’t want to give them all away here. It’s well worth the listen for CISOs and security directors who are starting to think of ways to justify, prepare for, and plan for a bug bounty program. Hop over to KPMG’s Advisory Institute to listen to part one and part two of the short (20 minutes total) podcast. And when you’re done, download our Bug Bounty Field Manual for even more detailed advice.