Setting up a bug bounty programme in your organization
Rootconf For members

Setting up a bug bounty programme in your organization

Experiences from the industry

Tickets

Loading…

Organizations of various sizes have been putting together and hosting bug bounties over the years. Some of these are very popular - participants look forward to the event on their calendars. Others, not so much.

The “hit or miss” nature of these events are sometimes a deterrent for any new business thinking about hosting a bug bounty. And yet, it is somewhat easy to plan for success - using playbook-like approaches and strong ownership of the process.

Rootconf invited showrunners of some of the most successful bug bounties to share insights, secrets and tips which will help any business to get started with this approach. Blending talks, how-to’s and panel discussions - this is the one stop shop for how to “get started with bug bounties” that you were looking forward to.

Browse through the blog posts and videos to learn how organizations such as Flipkart, Razorpay and InVideo have thought about and implemented bug bounty programmes.

Participate in the conference to share your work and learn from peers.

About the editorial team

This knowledge repository (blog posts and videos) and conference have been curated by Anant Shrivastava - information security consultant; Shrutirupa Banerjiee, senior security researcher at Quick Heal and Editorial Assistant at Rootconf; and Sankarshan Mukhopadhyay, editor at Hasgeek.

Who should participate

  • InfoSec engineers
  • Appsec engineers
  • DevSecOps teams
  • Security engineers
  • Engineering managers
  • Engineering leadership in organizations

RSVP to participate, or purchase a subscription to access videos, and to support Rootconf’s community activities on hasgeek.com

Code of Conduct: Hasgeek’s Code of Conduct applies to all participants and speakers at the meetups.

COVID protocols and masking policy for meetings held in-person: In keeping with COVID protocols, the following is applicable to all participants:

  1. Participants attending the meetups in person must keep their vaccination certificate handy. The venue may ask you to show your vaccination certificate as proof of being fully vaccinated.
  2. Wearing masks is optional.

Contact information: For queries about the meetups, contact Hasgeek at support@hasgeek.com or call (91)7676332020.

Hosted by

Rootconf
Rootconf
Rootconf is a community-funded platform for activities and discussions on the following topics: Site Reliability Engineering (SRE). Infrastructure costs, including Cloud Costs - and optimization. Security - including Cloud Security. more
All submissions

Shrutirupa Banerjiee

@shrutirupa

What to keep in mind when running a bug bounty programme?

Submitted Jan 10, 2023

Starting a bug bounty programme may seem like an enormous task. Regardless, if it is properly planned and managed, it becomes quite easy to implement. Each team should be well aware of its roles and responsibilities.
After having seen how to start a bug bounty program, I’ll walk you through some important suggestions that should be kept in mind while running the bug bounty programme.

As mentioned above, each team is important and has a responsibility to obey. The teams should be prepared for their set of tasks whenever a vulnerability is reported by a researcher. Starting from sending an acknowledgment mail to communicating with the researcher to mitigating the vulnerabilities, and paying the bounties on time, each step is crucial to a successful outcome of a bug bounty program. After a vulnerability is reported, it is the responsibility of the respective internal security team to communicate and send updates to the researchers. A time frame should be decided within which the respective team should respond to the researcher. This will give an idea to the researchers too as to whether to wait for the team’s response or move on with their next set of tasks.
A communication gap may result in a lot of discrepancies which may create an issue for both the researchers and the organization. The entire flow should be transparent and well followed.

In case a casualty is observed in any step, the researcher should be notified immediately along with an apology mail from the respective team.
The team should work on improving and enforcing the corrective action to it so that it does not happen in the future again.

I’ll move on to some concluding remarks about the Do’s and Don’ts of running a bug bounty programme.

Don’ts

  • Publishing non-tested assets on programmes - each and every application - APIs, URLs - should be well tested by the internal security team before putting them under the bug bounty programme. The programme should be based on finding extremely difficult vulnerabilities which were not covered by the internal team.

  • Not defining the scope of the programme - the scope of the programme should be clearly defined on the platform so that the researcher can focus on the required URL or API. Anything other than that, should be considered out of scope.

  • Not maintaining the program periodically - the team should keep a periodic check on the platform if there is anything else that needs to be added or removed from the website. Is there any new information that should be added for the researchers? Or, is there any bug within the platform itself which should be remediated as soon as possible?

  • Taking conversation with the researchers personally - during the bug submission process, there can be a conflict between the researcher and the internal security team. Such conflicts should not be taken personally and should be handled professionally and politely. Any wrong or careless step may affect the application and the programme along with the reputation of the organization.

Do’s

  • Maintaining good vibes with the researchers - it is extremely important to maintain a good vibe with the researchers as they are the ones who can find vulnerabilities which were missed by the internal security teams. The process that these researchers have followed might be help the organization to look for similar bugs in any other unpublished applications.

  • Connecting with the researchers on timely basis - it is the duty of the internal security team to regularly connect with the researchers and provide the updates related to their reports. A good and timely communication between the researchers and the respective team can help in mitigating the vulnerabilities sooner.

  • Providing as much transparency to the researchers as possible to build their trust - the researchers should also be given all the details and updates related to the report that they have submitted. Transparency in such scenarios can help the researchers believe in the authenticity of the platform and the organization’s process.

  • Automating the bug submission process at the company’s end - an organization should always keep upgrading and enhancing their applications/platforms. The initial phase may look tricky. However, the later processes should be improved and automated with time. The art of maintenance is one of the reasons behind good and successful bug bounty programmes.

Of course, there will be a number of flaws before a proper and an organized programme is run into implementation. Each organization needs to check how many flaws and problems it can realistically consider and manage, and if there is any issue, how is it being solved by the respective teams. The ultimate goal is upgrading the current process with time along with maintaining it.

All submissions

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Hybrid access (members only)

Hosted by

Rootconf
Rootconf
Rootconf is a community-funded platform for activities and discussions on the following topics: Site Reliability Engineering (SRE). Infrastructure costs, including Cloud Costs - and optimization. Security - including Cloud Security. more