Speaking at the Spring Infosecurity Magazine Online Summit, Sean Poris, director, product security at Verizon Media, explored how to run a bug bounty program, outlining the six components of a successful big bounty structure.
Poris explained that, by investing in bug bounties, organizations are potentially tapping into “hundreds of thousands of global hackers” that think about software and vulnerabilities in ways that internal staff might not.
He also said that knowing and understanding your objectives is key when it comes to running a bug bounty program, so organizations must have clear focus on “what they are trying to accomplish in standing up the program.” This should also include taking time to consider “what researchers will want from your program” and how you can work alongside them, along with the long-term goal of your program.
Once those aspects are established, Poris said there are six components to ensuring ongoing bug bounty success for an organization.
These six components are:
- Scope: what’s in, what’s out?
- Platform: report intake and communications
- Talent: hackers and teams
- Financials: budget, forecast and payments
- Operations: process, consistency and oversight (metrics)
- Policy: rules of the road, safe harbor and compliance
Ultimately, “a bug bounty program is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs,” and by taking a considered, federation-like approach, organizations can make a success of their bug bounty journeys.