Evaluating the Business Impact of Software

Vulnerabilities | BreachPoint

Google recently announced that the company had increased its top bounty for remote code
execution bugs on its Google, Blogger, and YouTube domains by 50 percent, saying, “due to
the high-severity vulnerabilities it has become harder to identify over the years, researchers
have needed more time to find them . We want to show that we value the significant time
researchers dedicate to our program.”

This is a natural progression to a rewards program and truly a sign of program health. What
most don't realize, however, are the various intricacies that go into determining when the right
time is to adjust a bonus payout range. The reward program is a fantastic means of ensuring
continuous risk measurement – and mitigation – on the platform. That being said, most
independently run programs stall and lose researcher participation and confidence.

This is also why managed bug bounty programs have become the new norm. At the start of the
program, most organizations – regardless of size – quickly become overwhelmed; defining
scope, defining disclosure inputs, identifying program security owners, establishing a
vulnerability management program, and even establishing patch time agreements within that
program. And that's not even addressing how to create attractive pay ranges, set up an efficient
triage and vetting process—much less attract a solid crowd of researchers to actively
participate.

To top it all off, we'll go back to the original statement in this article about how and when to even
increase reward payouts. Bottom line, programs are complicated to start and become more
complicated as they mature. What is the effective way to engage with the research
community? How do you keep them interested in your program? Are there ways to motivate
them? And inevitably, as mentioned before, when do I increase my rewards?

Leveraging expertise gained from managing hundreds of programs, organizations that work with
a trusted partner ensure they get the most out of their bug bounty programs. Not only at the
beginning, but also over time to ensure the long-term value of the bug bounty guarantee.

With four years of experience managing bug bounty programs, we have learned the following:
Start off on the right foot

When initially scoping the program, it is important to emphasize how critical the scope is to the
success of the program. In its simplest form, a scope tells researchers what they should and
shouldn't test—critical to getting the desired results from your rewards program. This also
applies to price targets. Put yourself in the shoes of researchers. You must be aware about a
particular vulnerability which is worth to your company - that's how much you should pay for it.

Define what value the error has

What is the cost of a mistake? This is one of the most important questions an organization must
ask when building a successful field, and it varies depending on the organization, its goals, and
in some cases, the size of its security team. As more and more companies align their business
and security goals with their crowdsourced security programs, we are beginning to see a
general increase in crowd motivation and activity. By looking critically and evaluating the
business impact of potential vulnerabilities, as well as looking at the bug market, an organization
can correctly define at any given moment what value a particular bug is worth (it can and does
change). This leads to the next point.

The right price at the right time

An organization's security maturity is a critical factor in determining how to reward vulnerability.

An organization with a more mature security program has security-focused processes in place,
so finding vulnerabilities takes more time and effort. For these programs, we also support
defined program rewards for priority-based vulnerability types.

Google's recent increase, as well as 1Password's 300% increase in its top reward (to
$100,000), shows that organizations are really starting to think about the market and where the
market values vulnerabilities. However, remember that it's important to increase rewards
because they make sense for your security organization. A "walk, walk, run" strategy is the best
way to ensure your program grows at the right time at the right time. Jet.com is a great example
of this measured approach from private to public program and increasing rewards when it made
sense for them.

Creation of a competition program

The bug bounty market is growing rapidly and creating competition between programs. Without
proper leadership, many organizations will struggle to make their programs stand out and lose
the race to attract the best researchers. But staying competitive isn't just about big cash prizes.
A wide shot with interesting targets will always attract talent. Don't underestimate the power of a
coordinated publishing program. For most researchers, publication can be a form of prestige—
an expression of the skill or knowledge it took to find something remarkable. It can also be an
educational tool – educating peers about vulnerabilities found in the wild or consumers about
their risk. The ability to expose vulnerabilities can also provide career opportunities and
community influence for individuals just starting out.

Never ever underestimate the power of marketing your bug bounty program. There are various
organizations which use their bug bounty program as an opportunity to demonstrate their
security posture. Raising rewards is a great way to show how seriously you take the security of
your organization and your customers.

While the market is constantly evolving, the key to success remains the same: attracting the
best researchers to find your vulnerabilities before adversaries can exploit them. How do you
attract top talent in bug bounty? The same way you would hire a full-time employee or
contractor: fair and competitive payments.