Bug Bounties....Pro/Con's

Got asked to put a piece together on bug bounties...here it is, enjoy it, hate it or simply feel free to use it if you are heading in that direction:

What are the pros and cons of offering a bounty?

Upside is crowd-sourcing and a large audience to be able to go through your code, your systems and whatever you offer a bounty ON…upside the more people working for you on reviewing the systems or target the better (hopefully) The other upside is the ability to balance the budget, pay for performance can sometimes work…There IS also the fact you are now participating in a community, you recognize that despite your developers insistence they can code properly they are still human and make mistakes…and you are willing to accept that, congratulations!! HOWEVER there’s some challenges:

Downside:

1. Set up a PROPER bug bounty program, going into it 1/2 arsed WILL result in some unpleasant exchanges with researchers

2. Set your lawyers on STUN and not KILL, most of us hate corporate lawyers, therefore get them all settled BEFORE we appear at your front door telling your your software is shit.

3. Don’t expect us to read all the rules if they go on for pages and don’t always expect to shake the hand of the researcher at the end of the engagement…there’s a lot of people who prefer their privacy

4. You WILL have to properly manage the input, the responses and the findings..even through you are now hoping that your IT security budget is lower (it’s not!) you will have to staff UP to work through the submitted results OR risk the wrath of people getting fed up NOT getting a response.

5. Depending upon what systems you offer up for abuse on the program don’t expect to be able to then easily tell the researchers FROM any legitimate attacks on your infrastructure…..set up a well defined environment for them to test in (if possible.)

Yes, the downside list is longer, that mostly because people go into it 1/2 arsed and have to deal with researchers who do this for a living and don’t appreciate all the corporate BS that faces them/us….

What are some typical amounts you've seen for a company offering a bounty to hack an app, a gadget, or an IoT device?

In the past (as part of a team) I've done fairly well from bounties, they’ve paid for various things along the years….now with that out of the way you can expect anything from a “thanks and PR release…Apple, etc.” to $3-5k or higher for something good/usable AND a report that is well written. As a team we’ve taken $10-25k as payments from a couple of organizations over the years….we’ve also got out fair share of cease and desist letters…so it’s a balance :)

Typically DEPENDING upon the attack vector and target the expected range should be equitable to whatever time you have put INTO the project….

How have you seen these amounts fluctuate?

Yep, a while back there was no sense or standards, now things seem to be settling down MUCH of that credit goes to the community AND the teams who have set up the programs on behalf of the community AND who are the main gateways to providing the coordinate communications AND web portals for submissions/help etc (Huge shout out to Bugcrowd, HackerOne, BugSheet, etc.)

When does it not make sense to offer a bounty?

Main one here is when YOU the target are not ready, your legal, your IT and/or your infrastructure and people are NOT set up to run one…this is NOT something to walk into lightly. Expecting to get pristine WELL written reports is going to work for 10-15% of submissions…but the rest will be ill written, crayola faxed or simply screenshots of bloody MeataSploit!