Quick Thoughts on Disclosure programs & Bug Bounty

As I was writing a response to a post, I figured LinkedIn will not allow me to express my opinion due to word limit and that's when I thought of this write-up. To note, this is my first on LinkedIn.

If you are someone planning to set up a new Disclosure program and looking for some quick read, this may just help you.

Having managed a large public facing Bug Bounty program for many years, some quick observations from me (personal opinions only):

1. Disclosure programs allow a researcher an avenue to share his findings and, it can be as simple as publishing a security inbox.
2. Every Disclosure program is not a Bug Bounty program
3. Bug Bounties can be Public or Private.
4. Public ones can have certain PR (and of course Legal) implications to it.
5. Unless a company is decently sized & funded, it may not be advisable to attempt a public facing Bug Bounty program.
6. Public programs can be handled by internal team or by a 3rd party. Using a 3rd party is a great idea to offload some of the more tedious triaging. Remember to stress on results/quality. If the vendor cannot commit putting experienced folks on the triaging team, go for a different one. My opinion, it is good to have at least some kind of validation done by an internal team.
7. Private programs are nearly always run by 3rd parties. Again, some kind of internal team to validate may be beneficial.
8. Private programs are easier in terms of PR. However, the downside - one may not get as many researchers. Sometimes (not always), researchers are more interested in seeing their names in a Hall Of Fame rather than working for some private program. If you are starting off a program, start with a private one first.
9. Bug Bounty programs can and most likely will change the culture of your company. This is especially true for companies where the culture is averse to security mindset, the company is established pre-2000, is sufficiently large where one feels like walking through a maze in order to determine who owns which component/product
10. Any Bug Bounty program is less expensive than extensive testing programs, as for Bug Bounty, you pay per bug.
11. For new Bug Bounty programs, start with a very structured and narrow scope. Absolutely ensure that PR, Legal teams are kept informed.
12. Sometimes, Disclosure programs attract some 'interesting' folks. These are people who tend to threaten and ask for money first (and these are people who are best deported to Mars). Thankfully, most of such calls for extortions are fake. However, if you get an email like that, always remember to A) Involve Legal (and inform PR), 2) no matter what, investigate the bug, if details are provided (mostly it will not be provided if it is extortion). And, if bug is known plan to get expedite fix, 3) Involve PR and 4)Keep record of these conversations with dates, response times, etc.

Like we all know, vulnerabilities are probably already existing for a given company, whether they know it or not. More eyes ensure the company gets an opportunity to know of it and to fix it, probably and hopefully before it is too late.

All the best!