Webinar: Tips on Building a World Class Bug Bounty Program From Senior Red Team Expert, Mack Staples
Transcript of Webinar: Tips on Building a World Class Bug Bounty Program From Senior Red Team Expert, Mack Staples
Building a World-ClassBug Bounty ProgramThe best hackers, the best bugs, the best security.
2
AGENDA
1. Introductions
2. Tip #1: Plan for the best,
expect the worst
3. Tip #2: Partner closely
with engineering
4. Tip #3: Recruit and retain
hackers will invest time to
understand and test your
logic
5. Tip #4: Maintain a
competitive and generous
bounty Program
6. Bonus Tips
3
Sr. Manager, Red Team
Mack StaplesMack Staples is a security professional with over 15 years experience in security encompassing both digital and physical security. For the last 10 years, he has focused on web application and mobile security. He started as a consultant and decided to transition to an in-house role when he connected with Zenefits and accepted a position managing their internal Red Team. Since then, he has guided and grown the Red Team and product security teams, andestablished a widely known and well respected BugBounty Program on HackerOne's platform.
Tip #1: Plan for the best, expect the worst
4
Tip #4: Maintain a competitive and generous bounty program
Tip #2: Partner closely with engineering and development teams
Tip #3: Recruit and retain hackers that understand your business and tech and are willing to invest the time to test your logic
The Zenefits Bug Bounty Tips
5
It’s a culture of readiness and
awarenessCriminals are vigilant in
looking for that loophole, that forgotten flash file, that open
endpoint.
• When we started our Program, we had a great track record — still do!
• Remember: past performance does not indicate future success
• If you’re online, you’re a target
• Something can always go wrong
• “Act as if you’re going to get hacked today”
Tip #1: Plan for the best, expect the worst
Tip #1: Plan for the best, expect the worst
6
Tip #4: Maintain a competitive and generous bounty program
Tip #2: Partner closely with engineering and development teams
Tip #3: Recruit and retain hackers that understand your business and tech and are willing to invest the time to test your logic
The Zenefits Bug Bounty Tips
7
Water cooler security talks
Security must always be “on”, to respond to the dynamic
environment all companies are facing today. That’s why we
loop in our developers into the security process.
• Involve your developers early
• Share specific findings and reports only with the owners
• Pay attention to trends— positive and negative— and share those observations with the org
• Socializing your Program will help developers “think security” which will mean earlier security involvement in new features and code
Tip #2: Partner closely with engineering and development teams
Tip #1: Plan for the best, expect the worst
8
Tip #4: Maintain a competitive and generous bounty program
Tip #2: Partner closely with engineering and development teams
Tip #3: Recruit and retain hackers that understand your business and tech and are willing to invest the time to test your logic
The Zenefits Bug Bounty Tips
9
Hackers gonna Hack
(hopefully)
The most severe - and therefore valuable -
vulnerabilities come from repeat and ongoing hacking
• The best results will come from repeated, manual testing
• The better your Program, the more repeat engagement you’ll see
• Researchers will get a feel for your product
• They may even know it better than you do
Tip #3: Recruit and retain hackers that understand your business and tech and are willing to invest the time to test your logic
Tip #1: Plan for the best, expect the worst
10
Tip #4: Maintain a competitive and generous bounty program
Tip #2: Partner closely with engineering and development teams
Tip #3: Recruit and retain hackers that understand your business and tech and are willing to invest the time to test your logic
The Zenefits Bug Bounty Tips
11
Stand out above the restTo attract the best hackers,
Zenefits set out to create one of the most attractive bug
bounty programs in the world.
• Maintain clear, consistent communication
• Keep your Program flexible - “Scope isn’t holy”
• Be transparent in decisions and the time to answer questions
• Consider special events like H1-702 hackathon in Vegas
• Keep bounties competitive and consider occasional “Multipliers”
Tip #4: Maintain a competitive and generous bounty program
12
Bonus Tips
Be Loyal
The quality of researchers will determine the success
of your Program. If you take care of them, they’ll
take care of you. Sometimes this means ignoring your scope, or
adding a bonus for an epic hack.
Celebrate the Creative Hack
Anyone can run an automated scanner. The
best hacks come from creative minds, thinking in
unexpected ways, and building new, custom tools. Recognizing these efforts
goes a long way.
Remember the ABC’s
Always
Be
Closing!
… bug reports. Momentum is key to keeping a Program
alive and well.
Tip #1: Plan for the best, expect the worst
13
Tip #4: Maintain a competitive and generous bounty program
Tip #2: Partner closely with engineering and development teams
Tip #3: Recruit and retain hackers that understand your business and tech and are willing to invest the time to test your logic
Let’s review: The Zenefits Bug Bounty Tips
Questions?
15