Here Are The 5 Things You Need To Do To Have A Successful Bug Bounty Program

Before founding Inspectiv, I spent about four years building out the security engineering group at Verizon Digital Media Services. The properties within the VDMS group included Edgecast, the CDN powering 5% of the internet traffic, and upLynk, the Video Encoding platform used by media giants including Disney and Hulu.

Building out a centralized security team for two very successful and mostly independently-run tech companies was a huge undertaking. One of the biggest challenges was prioritizing the risks as I hired and grew the team.

As a result, my focus was on the need to scale the team and our technologies as quickly and efficiently as possible.

Simply put, my goal was to do more with less.

One of the most pressing challenges was how to continuously and proactively identify security vulnerabilities in our environments — but without the cost and time of hiring and managing a massive inhouse team. To solve this , I launched Verizon Media’s first bug bounty program. This was then and continues to be the largest bug bounty program on the internet. Overall it was an extremely positive move — and from my experience, bug bounty is an effective solution to scaling fast. But in order to get that level of impact, it needs to be correctly set up.

Here are the 5 things you need to do to have a successful bug bounty program:

1. Be responsive to researchers: The security researchers are excited to work on your program. Treat them like you would your customers or employees. If you ignore them, they’ll ignore you. This means being responsive and timely to their inquiries, submissions, and follow ups. Delays will make their interest disappear. To prevent this, I recommend setting up a support-like process with internal SLAs committed to handling researcher communication.
2. Be respectful: To expand on the previous point, your team must treat the researcher community as an extension of the team — not as a nuisance, freelancer or vendor. They’re your new partners — here to help you and your team. Make them feel appreciated by recognizing their work.
3. Pay bounties: Researchers do not expect to work for free. They want their skills and efforts recognized and should be paid for the value they provide. There are some bug bounty platforms that offer the option to run a “kudos only” program, but opting for this is short term thinking. Talented researchers will simply just skip over your program once they see that it doesn’t pay bounty. If you use platforms like Hackerone or Bugcrowd, you must ensure you have sufficient funds available throughout the lifetime of the program to ensure you continue to pay those researchers for their work. Stopping and starting payments will damage your team’s reputation in the researcher community.
4. Pay on triage: I’ve encountered bug bounty programs that choose to only pay researchers when the issues are resolved and not when the researcher reports them. This unfairly delays the payment to the researcher (for days, weeks or even months depending on the team) for reasons completely out of their control and entirely dependent on the efficiency and bandwidth of the internal team. Choosing to pay on remediation is another mistake that can cause good researchers to abandon your programs.
5. Invest in polishing up the researcher write up for internal audience: Most companies I’ve seen struggle with this step and it threatens the entire success of the initiative. The purpose of the endeavor was to resolve vulnerabilities. While researchers are great at identifying vulnerabilities, not all of them can effectively articulate the business impact. You shouldn’t simply pass the researcher vulnerability reports directly to your developers and/or devops teams. To help your team get the most from the findings, consider adding an internal step to the process: have someone rewrite the researcher reports, with the goal of extracting the key findings and connecting the analysis to the business impact. This is a key investment in time and resources, but skipping this step means risking the security posture of the company by not adequately providing the team with the information to address the causes of the identified vulnerabilities.

These 5 challenges are the reason I decided to start Inspectiv, an end to end security solution that democratizes access to world class security.
We recognized that to be successful, bug bounty programs are ultimately a tool that must be set up and maintained correctly — and that most high growth teams don’t have the resources or headcount to build that into the business. And so, we set out to revamp the bug bounty space by decoupling the bug bounty from vulnerability discovery. By offering our service as a subscription and implementing the methodologies on our end on behalf of our clients, we’ve been able to streamline the process for our customers without the overhead. The result is a smoother and more high impact experience. You deal with a dedicated Inspectiv account manager as your point of contact, (not the individual security researchers within the community). You pay a subscription that includes all bounties, so there’s no worry about running out of bounties. Our team engages with the security community on your behalf. We triage and compensate our researchers, and ultimately rewrite all reports to tailor to your business and how it may impact you.

To get in touch with our team to see if we are a fit for you, reach out to our sales team sales@inspectiv.com