Running aBug Bounty Program

Adam Ruddermann15 March 2018

IIA / ISACA / ACFE Joint Spring Training Event

Bug bounty?Responsible disclosure?

Huh?

Huh?

“Security Researchers”“Whitehats”“Hackers”“Your children”

Find a securityvulnerability ina company

Report it to a companyand give them time to fix itbefore telling anyone else

(Optional) Thecompany gives amonetary award

The agenda!

- Part 2: Huh?

- The component parts of these programs

- Where it fits, where it doesn’t

- Questions

Adam ‘rudd’ Ruddermann, Practice Director

Who is rudd?

Ok so, back to ‘huh?’

What is ‘responsible disclosure?’

• Researchers make a reasonable effort to contact the organization that can fix the security vulnerability and provide them actionable data about the bug to enable a fix.

• Researchers give the organization a reasonable amount of time to fix the bug and distribute it to their customers before disclosing it to anyone else.• CCERT: 45 days• Google: 90 days

• If the organization does not act in good faith or does not intend to fix the bug, the researcher is reasonably enabled to publicly disclose the unfixed vulnerability.

Clearing the air on terminology

• Publicly published:• Responsible disclosure rules• Product scope and boundaries• Legal safe harbor provisions• A dedicated channel to submit bugs

• Thanks page and/or Hall of Fame• Monetary and/or prize awards

Responsible Disclosure

Bug Bounty

Wait. How did we get here?

The component partsI promise this won’t be too boring

The component parts of these programs

Legal PublicRelations

DailyOps

EngineeringPartnerships

AwardPayouts

The component parts of these programs

Legal PublicRelations

DailyOps

EngineeringPartnerships

AwardPayouts

Day-to-day Operations / Lifecycle of a Submission

InitialTriage

DecisionTriage Fix Resolve

Day-to-day Operations / Lifecycle of a Submission

InitialTriage

DecisionTriage Fix Resolve

• Engine room of the cruise ship

• Noise filtering• Staff typically do not need to read code or be able to suggest fixes• Unambiguous and well understood final decisions are made here• Feels a lot like a help desk, but is much more technical

Day-to-day Operations / Lifecycle of a Submission

InitialTriage

DecisionTriage Fix Resolve

• The captain of the ship

• The most technical person in the process• Looks deep to understand root causes – including reading code• Usually has day-to-day oversight of how things are going• Everyone is supporting this person

Day-to-day Operations / Lifecycle of a Submission

InitialTriage

DecisionTriage Fix Resolve

• Working with engineering teams to get it fixed

• Step 1: Let the team know• Step 2: Agree on how impactful the vulnerability• Step 3: Agree on resourcing and timelines• Step 4: Track it!

Day-to-day Operations / Lifecycle of a Submission

InitialTriage

DecisionTriage Fix Resolve

• Verify and land the fix, pay the researcher

• Make sure the fix actually works… or doesn’t introduce other problems• Land it in production… does it break the product? (it happens)• Let the researcher know and pay them (if you haven’t already)

Day-to-day Operations / Lifecycle of a Submission

InitialTriage

DecisionTriage Fix Resolve

Program Operations Management

• This process can be as ad hoc or refined as necessary for an org

• Good software – either built in house or outsourced through a vendor – is critical

• Operational metrics will define your success and failure

The component parts of these programs

Legal PublicRelations

DailyOps

EngineeringPartnerships

AwardPayouts

Legal

• Clear lines of communications and expectations with corporate legal teams

• Contract law• EULA – exempt whitehats, precise carve outs, or fully require adherence?• Program-unique terms

• Criminal law and legal safe harbors• USA: CFAA, DMCA• UK: CMA

• Corporate compliance• Data privacy: GDPR, Privacy Shield, etc• Sanctions and anti-terrorism: Various US and EU lists• Diversity and anti-corruption: checks for verifying corporate policies

Public Relations / Communications

“You’re the only engineers that regularly speak officially on the behalf of the company that don’t

have time to clear every word with PR first.”

- Melanie Ensign (@imeluny)

Public Relations / Communications

• Communications training for engineers and PMs

• Build a library of templated responses

• Consensus on when to escalate internally and when escalate to the Comms team

Engineering Partnerships

Product ManagementSoftware Engineering

Corporate IT

Engineering Partnerships

• Coordinating scope changes with the product roadmap

• Thoughtful prioritization of low/mid severity bugs

• Software security education

• Very specific scope considerations

• Managing potential false positives on sensors

• This is Expert Mode bug bounty

Product ManagementSoftware Engineering

Corporate IT

Paying out awards

• What?• How much should you pay?

• How?• PayPal, Payoneer, Bitcoin, Wire

Transfer, Airline Points (United), Gift Cards?

• Taxes!• Withhold income tax?• Require W8s?

The component parts of these programs

Legal PublicRelations

DailyOps

EngineeringPartnerships

AwardPayouts

”Ok, now what?”

Why this is worth it

• With good relationships, leveraging researchers will enable you you scale your security team

• Think of it like QA: Dozens of good testers will find more bugs than just 2 or 3 excellent testers

• Traditional pen tests are only accurate for a point in time, bug bounty testing is continuous

Where this fits

• Products should have a security architecture review and a traditional source code enabled pen test before considering bug bounty

• A small, private bug bounty is a great safe way to give top hackers access to a product first before launching an open bounty

• Recurring source code enabled pen tests to find deep, complex vulnerabilities

About those hacker parties…

Questions?

Adam RuddermannPractice Director, Bug Bounty Services

Email: rudd@nccgroup.trustTwitter: @adamruddermann