Bug Bounty

Field Manual
A guide for launching, operating and scaling
pay-for-results security tests.

THE BUG BOUNTY FIELD MANUAL HACKERONE 1

 Every five minutes, a hacker reports a vulnerability.
Every 60 seconds, a hacker partners with an organization
on HackerOne. With security vulnerabilities a fact of
life, technology unicorns, e-commerce conglomerates,
governments, and hospitality giants are competing
to attract hackers simply because they can think like
an attacker.

Before you start

Whether you start off with a time bound pilot or

Before you jump into a bug bounty program, take our
a small scale private program, this guide will help
self-assessment questionnaire to help you determine
answer common questions as you ramp up to a full
where you’re at and what type of program best suits
bug bounty program.
your needs.

There are a few different options when it comes to

working with hackers. Many organizations start off
with a Vulnerability Disclosure Program (VDP), which
is where you simply give hackers a clear channel
through which to report vulnerabilities, without the
expectation of payment. A Bug Bounty Program
actively incentivizes hackers to report vulnerabilities
through financial rewards. Another option is to run a
crowd-sourced pentest, which is time-bound like a
traditional pentest, but engages a wider community
of researchers with a wider skillset and only pays out
for results.

THE BUG BOUNTY FIELD MANUAL HACKERONE 2

 THE BUG BOUNTY FIELD MANUAL

01. Preparation

THE BUG BOUNTY FIELD MANUAL HACKERONE 3

 Preparing for Vulnerability
Management
Before you start accepting reports, you need
to make sure you have some vulnerability
management in place. This will ensure vulnerabilities
are identified and fixed in a timely manner.
First, you need to identify where those
vulnerabilities are coming from; automated
scanners, developers, security engineers, external
consultants or even social media. The second step
is prioritization, you need to group vulnerabilities
based on severity and pass them to your relevant
internal owner for resolution. When you start a bug
bounty program, you’re essentially adding a new
stream of bugs into those existing vulnerability
management process.
When launching a bug bounty program with
HackerOne, you have the ability to assign a
severity to each report and integrate with multiple
common bug tracking systems (JIRA, Service
Now, Mindtrack, Zendesk, Github), streamlining
vulnerability reporting and triage efforts.
THE BUG BOUNTY FIELD MANUAL
Allocate resources
Running a bug bounty program is going to involve
your existing security team so it’s important to
set expectations of what the program will entail:
• Choose a leader to own and champion the bug
bounty initiative and build a team.
• Allocate roles and responsibilities for triaging
bug reports, communicating with hackers,
defining and paying bounty rewards and
vulnerability management - weekly rotations
of responsibility that fit into and around the
team’s regular job duties are a good way to
structure this.
• Make sure you have the time and resource
available the week you start accepting your
first bugs to deal with a large influx and to solve
any initial issues.
Running a bug bounty internally can be a lot of work
so using a platform like HackerOne to support your
team will really help with resourcing.
HACKERONE 4
 Preparing for Payments
Set expectations for hackers. You don’t need to
initially start paying out enormous bounties. Set up
a bounty table that clearly sets out how much you
are willing to pay for various bugs based on severity.
HackerOne can show you the average award
amounts across the programs on our platform.
The top bounty awarded by a financial services firm
was $15,000 and last year financial services firms
paid out nearly $1 million in bounties, however, the
average bounty paid by financial services firms for
a critical vulnerability on HackerOne’s platform is
$1664. The average for any bug is $771.
Set up your payment
process
Hackers come from all over the world and need to
be paid in local currencies. HackerOne manages
payments in hundreds of different currencies and
handles compliance, taxation, processing fees and
exchange rates.
THE BUG BOUNTY FIELD MANUAL
Define service level agreements
Set up a well defined service level agreement (SLA) on
your policy page. Set expectations by confirming the
time to triage, time to bounty and time to remediation.
Define rules
To ensure a smooth and transparent process that
engenders trust for both parties, include the following
on your rules page:
1. A well-defined scope
2. Bounty structure
3. Qualifying vs non-qualifying vulnerabilities
4. Service level agreements
5. Eligibility/participation requirements
Read more about crafting your rules page here.
HACKERONE 5
 THE BUG BOUNTY FIELD MANUAL

02. Champion Internally

THE BUG BOUNTY FIELD MANUAL HACKERONE 6

 Championing a bug bounty program requires buy in from
multiple stakeholders to be on board, and it’s important
to be clear about the benefits. This will help you launch
successfully, create clear feedback loops and, ultimately
improve your security posture.
• The Security team will need to understand • While most organizations start with a small
how the bug bounty program will fit into their private program, working with hackers can still
existing processes and when they need to raise questions from the PR/Comms team.
prepare for controlled influx. Get their buy-in by demonstrating that running
• Engineering teams can be brought on board a bug bounty program can be a positive story
by empowering them to fix bugs themselves for taking security seriously.
and keep the conversation open about building Check out HackerOne’s case studies to see
security in throughout the development
how others have proudly told their stories.
process. Set expectations about when and how
the fixes will be completed and how much time If you’ve done a good job of championing internally,
this will take out of their day. you should then have a fair amount of leeway in
terms of leading decisions around changes in your
• HackerOne makes it easy to pay hackers so
Finance teams aren’t dealing with multiple scope, policy, and processes.
currencies and financial red tape. Your financial
team can help you decide whether to make a If you need any assistance in convincing internal
deposit for bounties in advance or pay as you stakeholders that a bug bounty program is a
go by credit card. good idea, we share some additional advice and
guidance here.
• Bring your Legal team on board by giving them
a say in setting the guidelines that will avoid
legal repercussions for hackers.

THE BUG BOUNTY FIELD MANUAL HACKERONE 7

 THE BUG BOUNTY FIELD MANUAL

03. Launch

THE BUG BOUNTY FIELD MANUAL HACKERONE 8

 Now everything’s in place, it’s time to push go and start
seeing those juicy bugs roll in.
In the beginning

To make sure you start at a manageable point,

we recommend starting with a private program,
inviting five hackers and putting a couple of items in
scope. You can easily add more when you’re ready.
Beginning with a manageable amount of hackers
contributing to your program enables you to test
your processes.
REVIEW RECAP
Some other questions to ask yourself as bug
reports start coming in:
• Are they what you expected?
• Are hackers hitting the right targets?

In the first day, expect to receive four serious,
non-duplicate vulnerability reports. The average
customer sets a target to find ten bugs in the first
two weeks.
• Are they finding the types of bugs you want
to see?
At this stage you may need to adjust your policy
page or bounty amounts. In this scenario Hacker

Scaling up feedback is invaluable, they have a wealth of

experience and will be able to offer insight
Once you’re in the flow of triaging reports and and advice on any changes that need to be
dealing with the bugs, you can look to increase the made. Give them feedback too about report
reports you receive and incentivize participation by: preferences and what bugs you care most about

1. Increase the scope of your program - best for

if you’ve already received plenty of reports and You can read more about bug bounty first

improved security on your initial scope impressions here.

2. Add more hackers to your program - best for if

you want loads of eyes on one or two properties

3. Up your bounty amounts - best for if you want

to increase your higher severity reports.

THE BUG BOUNTY FIELD MANUAL HACKERONE 9

 THE BUG BOUNTY FIELD MANUAL

What’s next?

THE BUG BOUNTY FIELD MANUAL HACKERONE 10

 Scale your program
There are many exciting routes you can take your
bug bounty program now that it’s up and running.
Maybe you’re now looking for the next challenge
and the thrill of even bigger and better results.
It makes sense that the more hackers, scope and
bounty amounts you have, the bigger, more critical
bugs you’ll receive and the more secure you’ll
become.
As you increase your scope, make sure you give
hackers plenty of information to better aim their
efforts at uncovering juicy bugs.
As you invite more hackers to your program, you
might consider taking it public so that any hacker
can submit a bug. You’ll see a lot of noise when you
go public but you can tamper this down with signal
requirements and amending bounty amounts to
make sure you’re only paying out large amounts for
the most critical bugs.
THE BUG BOUNTY FIELD MANUAL
Scaling also comes with logistical challenges, so we’d
advise automating processes as much as possible — the
more efficient those processes are, the easier it will be to
handle a larger load of reports.
One of the most exciting places to take your bug bounty
program is to a Live Hacking event. HackerOne has
helped companies such as Snapchat, Verizon Media,
Uber, GitLab and US Department of Defence run these
events where the top hackers fly out to hack a single
target on the spot. They’re a great way to develop
relationships with the hacking community and get a huge
amount of bugs in a very short period of time.
See a recap of our Live Hacking event in London here.
HACKERONE 11
 Improving vulnerability management practices
Security only improves when bugs are fixed, not when
they are found.
As the program grows, vulnerability management
processes will need to catch up. This can be a
challenge so we’re sharing our best practices on this:
• Find an owner - make sure you know whose
responsibility the fix will be, and that person
communicates when it’s done so hackers’
expectations are set.
• Automate - automatically alert the people who
are responsible for fixing the bugs and set time
limits for when bugs should be assigned an owner.
e.g.
° Critical: 3 - 4 hours
° High: 3 - 4 days
° Medium: 1 - 2 weeks
° Low: 1 month
• Prioritize manual efforts based on the severity of
the issue.
THE BUG BOUNTY FIELD MANUAL
• Identify where people and process problems
are causing a slow down in vulnerability
management
° Understand the developer’s perspective
and workload
° Ensure bounty hunters provide
exploitability and impact information in
their reports to show developers it’s worth
their time
° Learn each team’s processes for
accepting work inputs and how to get a
security bug into the product backlog
• Update hackers who are waiting for news on
when the bug will be fixed
The financial services industry has a particularly
good reputation for delivering fast fixes, with a
median of 4 days to resolution and bounty.
HACKERONE 12
 Improve development
Bug bounty programs are great for finding and fixing
loads of individual vulnerabilities, but some of the
greatest value will be the data that comes out of it. For
example, for the financial services industry, cross site
scripting is the most commonly found vulnerability.
Violation of secure design principles is far higher in
the financial services industry than any other but
government.
If you’re seeing particular patterns of bugs being
found, it will highlight any cracks in your software
development life cycle, meaning you can move
towards proactively identifying and eliminating root
causes of systemic issues, improving your overall
security program.
HackerOne provides data on:
• Number of bugs resolved
• Number of hackers thanked
• Number of reports rewarded
• Total bounties paid
• Bounty average
• Payout % of unresolved reports
• Response time
• Resolution time
THE BUG BOUNTY FIELD MANUAL
DEMOCRACY
It’s important to remember that you,
your business and your hackers are all
working together towards the same goal
of a more secure organization. However,
each program will have its frustrations
and while a successful launch will
help you avoid these, remember the
following when handling a disgruntled
hacker:
• Stay calm
• Focus on the facts
• Make use of HackerOne’s
mediation services
CELEBRATE MILESTONES
Make sure to pause and recognise
your efforts in security and the great
work your team is doing to keep your
customers safe like Spotify has done
with their two year anniversary blog.
HACKERONE 13
 About Us
HackerOne is the #1 hacker-powered security platform,
helping organizations find and fix critical vulnerabilities
before they can be exploited. More Fortune 500 and Forbes
Global 1000 companies trust HackerOne than any other
hacker-powered security alternative. The U.S. Department of
Defense, General Motors, Google, Twitter, GitHub, Nintendo,
Lufthansa, Panasonic Avionics, Qualcomm, Starbucks,
Dropbox, Intel, the CERT Coordination Center and over
1,600 other organizations have partnered with HackerOne to
resolve over 100,000 vulnerabilities and award over $50M in
bug bounties. HackerOne is headquartered in San Francisco
with offices in London, New York, and the Netherlands.

Contact us to get started.

THE BUG BOUNTY FIELD MANUAL HACKERONE 14