Bug bounty programs gradually become more and more mainstream and that’s great news for global cybersecurity. As we’ve discussed in our previous post, bug bounty programs provide companies with a convenient way to access a crowd of cybersecurity experts with various backgrounds without the need to actually pay for an army of cybersecurity experts. But how does a lifecycle of a bug bounty program actually look like?
In this example, we are going to describe a bug bounty program that is hosted on a bug bounty platform.
Lifecycle of a Bug Bounty Program
Step 1 – Creation of a bug bounty brief
Once a company has settled on a bug bounty platform they want to use, they start working on a document called Bug Bounty Brief (you can check an example of bug bounty brief here).
Bug bounty brief describes the rules of engagement for researchers that are going to be working on a bug bounty program. It’s a company’s responsibility, with the help from a bug bounty platform’s staff, to write a clear brief, and researchers’ responsibility to get accustomed to it before getting started on a program.
Structure of a bug bounty brief may vary, but it usually contains the following points:
A short description of a company that is hosting a bug bounty program. This provides a bit of context to researchers that are going to work on this particular bug bounty program.
Scope simply states what resources must be tested by researchers. “Where” should researchers be looking for bugs.
This section deals with “what” researchers should be looking for. This may include specific bug types, functionality, features, etc. Companies provide as much documentation as possible, in order to assist hackers in working on a program efficiently.
- Out of Scope
Companies also create a list of vulnerabilities that they don’t want hackers to be working on. These usually include vulnerabilities that don’t pose security risk to the client.
Usually, companies themselves determine the pricing level for different vulnerabilities types, but often bug bounty platform’s staff advise companies on the compensation level, in order to make bug bounty program attractive to the researchers.
- Rules of a Bug Bounty
This section describes in detail what researchers can and cannot do when working on this particular bug bounty program and what disclosure guidelines they should follow.
- Service Level Agreement
Details how the company communicates and pays researchers during the bug bounty program.
As you can see – bug bounty brief is a complex document and is an integral part in a lifecycle of a bug bounty program. If companies get this part wrong – it’s highly likely they will fail to have a successful bug bounty program.
Step 2 – Bug Bounty Program launch
Once a bug bounty brief has been created – it is published on a bug bounty program page and it becomes “live”. Bug bounty platforms conduct marketing activities in order to attract white hat hackers to this particular bug bounty program.
Step 3 – Let the hacking Begin!
Once the bug bounty program has began, white hat hackers start testing the software and report bugs they find. Researchers write up a bug report explaining in detail how to exploit a vulnerability and submit it via the platform’s website.
Step 4 – Bugs are being verified by an inhouse triage team
Every bug bounty platform has a team of inhouse cybersecurity specialists called “Triage Team”. The job of the triage team is to verify the bugs reported by researchers and determine the severity level of a bug for the client.
Step 5 – Fixing the bugs
Security team within the customer’s company gets a report from the bug bounty platform with an explanation on how to fix the vulnerability. Once the fix has been verified by the researcher who filed the bug in the first place – the client pays the researcher. Additionally, the researcher gets reputation points on the platform.
As you can see – lifecycle of a bug bounty program is quite complex. Efficient communication is the key to success of a bug bounty program. It’s a bug bounty platform’s responsibility to sync both researchers and the client to guarantee efficient cooperation that will lead to the result that everyone wants – a safe cyberspace for us all.
If you would like to get a consultation on bug bounty programs, you can schedule a Demo with HackenProof team here.