alphaspirit - Fotolia
When to take a bug bounty program public -- and how to do it
Bug-finding programs are valuable to enterprises, but they require a lot of planning and effort to be effective. Sean Martin looks at what goes into taking a bug bounty program public.
MasterCard, the worldwide payments company, recently launched a public bug bounty program to help identify software defects in its platform. After initially starting the bug-finding program privately, like Apple and many others have, MasterCard decided to open its program to the public, with rewards ranging from $100 for a minor issue to $3,000 for a critical finding. MasterCard is using the Bugcrowd crowdsourcing platform to manage the swarms of researchers around the world.
After learning about the MasterCard public bug bounty program, I connected with the Bugcrowd team during the Black Hat 2016 conference to learn more about the process for bug bounty programs.
"Financial organizations are expressing interest in bug bounties to identify flaws in their internet-facing systems and applications as they push more services to the internet," said Jonathan Cran, vice president of operations at Bugcrowd, based in San Francisco. "The approach is a natural progression from their current application security program, where they're using automation or a few manual testers before pushing applications live to production."
Bug bounty programs: Deciding to go public
As evidenced by previous bug bounty champions, the recent Apple bug bounty program launch and further supported by the Bugcrowd State of Bug Bounty results, many organizations are pursuing a bug bounty as a critical element of their application security quality-assurance program. These organizations often choose to start with a vetted group of researchers, as they build the operational capability to handle the input expected from these researchers.
Jonathan Cranvice president of operations at Bugcrowd
"Because bug bounties are becoming so prevalent, some researchers are bolder than others, testing and submitting things directly to their target's customer support email addresses, via Twitter or other channels," Cran said. "We see organizations come to Bugcrowd in order to get in front of this chaos and help them create a formal, public channel for disclosing vulnerabilities."
The bug-finding program might start as a private program or an incentivized disclosure program, but it often grows into a public program over time and extends beyond one or two web applications to include other internet-facing services and devices.
Platforms like Bugcrowd are designed to let organizations take control of the intake of defect reports, helping them triage and work with individual researchers to create actionable findings for their security team. "We are here, we are willing to respond," Cran said, adding that organizations sometimes need help in determining the proper action to take once a finding is brought to them.
Bug bounty programs: The learning process
When a bug bounty program launches, researchers are given a set of targets that tell them which issues will be incentivized or rewarded. These targets are laid out in a program brief, which also specifies what happens if a reported issue is out of scope, or is not classified as an incentivized issue.
"By crafting a brief, organizations can choose what sort of focus they want for their program. Where should the researchers invest their time -- what should they avoid? They can choose to incentivize only certain targets, or certain types of findings," Cran said.
In the case of MasterCard's bug-finding effort, the program is initially focused on several external applications and, over time, is expected to grow to include other external-facing applications and mobile targets.
Public defect-finding program owners should be prepared to work with researchers who scan their applications and shouldn't be surprised if they end up having to block IPs. "This is all a part of the process," Cran said. "In a public program, anyone can test, so we often end up working with customers to respond to reports of scanning and adjust the program accordingly."
Bug bounty program owners are often surprised by researchers' creative techniques. Bug hunters aren't so close to the systems that they are blinded by familiarity with how the software should work, so they often test and stress applications in ways the developers never anticipated.
"Submissions detailing a technique that exploits a logic flaw are not uncommon," Cran said. "Some researchers focus exclusively on this kind of testing, since it's more difficult, and [it] is unlikely to hit a duplicate report and, thus, not be rewarded. For instance, if a researcher can forge a monetary transaction by manipulating the application, they're going to be highly rewarded for that finding."
Bug bounty programs: Expected results
During our conversation, the Bugcrowd team mentioned they were working to develop some specific analysis for bug bounties in the financial services space. I asked what MasterCard could expect from its program based on the results of bug bounty peers operating in the same market. The Bugcrowd team offers these data points:
- Over 12% of total bounty payouts have been made through financial services programs.
- The average payout per bug across financial services programs is $323.05, nearly 10% more than the average across all programs -- all-time for Bugcrowd programs.
- In general, these stats point to the fact that more programs run by financial services organizations offer rewards and higher rewards.
Currently, the MasterCard bug bounty program on Bugcrowd has rewarded 17 findings, with nearly 300 participants. There are also more than 50 security researchers in the program's hall of fame, which recognizes participants for their efforts in reporting security issues.
Conclusion
Bug bounties continue to grow in popularity. Large household names, like Facebook, Tesla, Apple and now MasterCard, are looking to get ahead of the zero-day curve by incentivizing public researchers to help detect defects and security vulnerabilities. The key for enterprises is to know when the time is right to take a bug-finding mission public, decide what the current scope and targets should be, and how the program should be updated and expanded in the future.