In this course, Play by Play: Bug Bounties for Companies, Troy Hunt and Casey Ellis discuss bug bounties from the perspective of organizations interested in running their first bug bounty program. Learn the purpose bug bounties serve, how bug bounties are run, and how to position a bug bounty program to leadership in order to get buy-in for the program. By the end of this course, you’ll be able to speak to the benefits of a bug bounty program and ascertain if your organization is ready to undertake a bug bounty of its own.
Troy Hunt is a Microsoft Regional Director and MVP for Developer Security. He's a regular conference speaker, frequent blogger at troyhunt.com and is the creator of the data breach notification service known as “Have I Been Pwned”.
Course Overview Hi this is Troy Hunt. And I'm Casey Ellis of Bugcrowd. And welcome to our Play by Play on Bug Bounties for Companies. I'm an Australian Pluralsight author and web security specialist, and I'm especially interested in the things that we can do to help organizations better protect their online assets. As the founder, CTO, and chairman of Bugcrowd, I spend most of my time connecting the customers that we work with with the broader white-hat community to get feedback on how to better defend their assets, so obviously I'm interested in this subject today. In this course, we're going to look at why organizations should run bug bounties. What's in it for them, what are the risks they face? Yeah, we'll talk a lot about best practice, how to do this well, how to make sure that as you're considering a crowd source security program, what are the things that you need to line up for success and to avoid failure. And indeed, what are the pitfalls where companies have gone wrong with bounties in the past? We'll cover best practices and how to do this right, some of the failure stories over I've seen over the years, and how not to do it wrong, as well as talking a bit about how this concept has jumped out of the Bay area and the earlier adopting technology market into the broader security community and the broader enterprise defender. I'm really excited to have one of the best brains within the bug bounty industry here with me in this Play by Play. I hope you'll join us on this journey to learn about Bug Bounties for Companies.
What Is the Value Proposition of Bug Bounties? Hi, this is Troy Hunt, and I'm coming to you from San Francisco with Casey Ellis from Bugcrowd. So Casey, we're going to talk a lot about bug bounties, but I think you should start by telling us who you are, because that's going to put a lot of context around this course. Yeah, for sure. So I'm the founder and CTO of Bugcrowd. I started the company from Australia back in 2012, and really going into it, I have a career in security that started off as a pen tester, I did that for a period of time, moved out to the front of the house doing solutions architecture and getting more involved in the business side, and at some point those two things got together and had a baby. I decided I wanted to do a startup-type of thing, and really Bugcrowd was the product of looking at two things, one was some of the challenges that organizations were having with staying ahead of the bad guys and being able to find their vulnerabilities, but then also just the general appetite in the market for vuln disclosure and bug bounty, yeah, taking off. Like back then, Facebook and Google were kind of pioneering the story with their bug bounty programs, and really what I observed was that there was a lot of interest from the traditional security buy-in community in this model as a way to level the playing field. Alright, awesome. So, when we were planning on doing a bug bounty course for Pluralsight, we kind of went, well, you're sort of the best guy in the world to tell us about this. Thank you. And so we're actually doing two courses, we're doing this one on bug bounties for organizations that are thinking of getting involved in one, and we're going to do another course as well straight after this one, which is about bug bounties for researches, so people who might be thinking about participating. Absolutely, yeah.
Where Do Companies Tend to Go Wrong Running Bug Bounties? Where do you see things tending to go wrong with companies running bug bounties, because I'm sure it doesn't always go smoothly for them either. Yeah, no, for sure. I think the biggest thing, and you're exactly right, I think the, when you say hacker or security researcher, it's one of the reason that we use security researcher and hacker almost interchangeably is that it's a softer term when you're talking to people that have that sort of, that sort of fear, and you do a Google image search on the word hackers. There's a lot of hoodies, I've done the search. There's a lot of hoodies, and a lot of Guy Fawkes masks, and a lot of just generally like evil-looking people. Yeah, I think the big thing is this whole idea that like there are hackers out there, and there are many of them that are kind of more the equivalent of a digital locksmith, so they could very definitely make a good, like, criminal or a good burglar, but their intent is to actually help and not harm. So getting people over that hurdle is one of the main challenges. I think where it tends to go wrong is where you see organizations not think it through. So they, they jump on bug bounties or vulnerability disclosure even when they're just saying hey, if you find something, tell us, and not necessarily having a reward, as the thing that the cool companies are doing, and it's more about the press release, and being in a position to go out and be proactive in the market or be seen to be proactive. But on the backend, what they haven't done is put the effort into really kind of thinking through how it's going to work, like getting all of the stakeholders aligned internally, making sure that they're writing a brief, and setting terms for the hackers that actually very clearly define what the expectations are between both sides and aligning those. Right. And what that leads to is the inability to actually follow through on those commitments. So the biggest, the biggest challenge or the biggest kind of consistent value point that I see with these programs, and definitely some of the things that we've seen publically over the past 12 months even is organizations that have clearly run at this without really thinking it through.
Common Concerns Surrounding Bug Bounties You mentioned one of the things that the companies are worried about is that they're effectively inviting a whole bunch of people into look at their things, what other things do you hear companies being concerned about in terms of running bug bounties in general? So for example, I can imagine the legal department having an absolute heart attack with the concept of literally saying, hey, come in and have a look at our things. Yeah, it depends on really, if you think about it as a spectrum across the market, you've got your Facebooks and your Googles down at this end, and you've got like your banks and your healthcare companies up the other end, and really it's a spectrum of kind of how progressive and risk tolerant they are when they approach technology, right? Down this at this end it tends to be fairly simple, because their legal team is used to being asked crazy stuff, and they can just dive into the merits of it and kind of the logistics of it so to speak. Up the other end on the banking, the healthcare, the financial end, it takes longer, because really what you've go to do is get the legal team and other people that aren't necessarily technologists purely in the mix across this hurdle that no, hackers are bad people, I thought that they were bad, like, we're inviting them in? That's the big thing that you've got to get them across initially, and then beyond that, it comes down to things like making sure that liabilities are managed appropriately, making sure that things like the CFAA, DMCA, some of the laws and legislation around white-hate security research are being accommodated in the mix, and really making sure that all of the different mechanics of running a bug bounty program are actually covered off by that legal team, which again is one of those things that if you're either talking to an organization like us, or talking across the peer group of companies that are actually running bug bounty program, you can get across that. It's actually not as complicated as people imagine that it's going to be.
Selling Bug Bounties to Executives and Legal So we mentioned legal departments who are always the fun place in organizations, let's be honest, they're going to be the first ones that are going to say look, this is an issue, and of course there's other executives within the organization as well that are going to be very risk adverse. How do you think organizations should go about getting by, and in fact, let me rephrase that, how do you think people like you and I who might be, let's say they're tech folks in a tech department who kind of get this, how should we position it to leadership? How do we sell this to them? Yeah, I mean, I think as simply as possible, and I think accommodating for the fact that like they are probably going to be frightened by the concept when you initially, when you initially couch it, so I see often times people in the security industry, and especially vuln research community kind of go over the fence and say hey, this is the right thing to do, like responsible disclosure, let's put everything out on the internet once it's fixed all of these different things, which by the way, I actually agree with, I think ultimately things should progress in that direction, but not everyone's going to be ready for that, not everyone should do that, and that's probably a bad place to start, because that's when you're going to get a wall come up around the conversation. So just being mindful of the fact that this is a potentially frightening topic to bring up is a good place to start. I think beyond that, it's really a matter of starting to point to some of the referenceable companies that are outside of this tech early -adopter sandpit. You look at like the Googles and the Facebooks of the world that made this popular in the first place, that's great, but if you're on the East Coast or working in a more conservative vertical, you look at those guys as thought leaders, but also a kind of bit crazy as well. So it's this whole idea of here's a bunch of other organizations that look more like yours that are adopting the model as well. See, the water's warm, we can all start to jump in there, or start considering whether we should.
Scoping a Bug Bounty Program It sounds like another one of those cases of there are multiple models in choosing the right thing at the right time seems to be the trick here. Yep. I noticed also that there are cases where there are cases where there are public bug bounties, which may be scoped, and the one that sort of comes to my mind is the Pentagon a couple years back I think, wasn't it? Yes, yep. And I remember thinking at the time like, first of all it's amazing to see the Pentagon run a bug bounty, which is very cool. Second of all, I'm an Australian, I was excluded, and I suspect the same for you right? Yep. So what was, what was their rational, and why do companies or government departments, as it may be, make that decision? So there's lots of reasons to reduce the scope in terms of where people are testing from, like what kind of trust do you have in them, are they background checked or not, like what kind of skills do they have, really what it comes down to is what kind of additional privilege are you going to be giving them when they're doing their testing, if that's the case then considerations like geography, and background checking, and so on become pretty relevant. I think with the Pentagon, it was more around the fact that this is an America like defense agency. Yeah, they do play in a fairly serious space, right? It makes perfect sense for them, because like their jurisdiction is the US. So to have that as a starting point to me made perfect sense. What was good about it is that they actually extended beyond that in terms of their public form disclosure program a little while afterwards as they realized they could get better results if they threw it open. Okay.