BugCrowd Releases Guidelines for Effective Bug Bounty Programs

This Friday, BugCrowd published a set of guidelines they believe will be the most effective way to attract skilled engineers and programmers to the world of whitehat Internet activism, wherein everyday hackers can utilize their deep toolbox of skills to assist companies in discovering zero-days and the process of patching them, rather than exploit the weakness on the underground market for short-time, albeit lucrative profits.

Researcher and author of the instruction manual Drew Sing suggests in so many words that companies must offer cash if they expect anyone to take the bounty seriously, and while he understands many of them will never be able to match the massive lumps of cash that illicit zero-day dealers can make in a few days of work, that shouldn’t stop them from trying to keep up in the face of overwhelming odds.

Because while zero days sold on the underground market can net anywhere from a dollar up to several million on a single sale (depending on the quality of the hack and popularity of the program being exploited), companies like Google and Microsoft are learning more and more that to win this battle they’ll to fight fire with fire, and offer up similarly overzealous prizes for hackers who choose the path of light in favor of the dark.

More prolific examples include the Pwn2Own contest held annually at PACWest, and more recently, the SOHOpeless event which went down at this year’s DEFCON 22 in Las Vegas. In these exhibitions, teams of researchers from dozens of high-level research facilities and universities duke it out in a series of cracking contests which can be anything from something simple like finding a zero day in a limited amount of time before the competition does, or as ridiculous as a “router relay race”, which finds hackers physically running across the show floor from one bugged checkpoint to the next, passing off a baton to their teammates in an all-out sprint to the finish.

By adding in a healthy dash of good sportsmanship, organizers of these types of gatherings have shown the importance of what they’re doing and see it for the necessary good that it is, but also know many of the people they’ve temporarily employed to break their software in half could turn to other avenues of revenue if the bounty isn’t set high enough, or the effort doesn’t feel proportionate enough to the reward.

When this happens, the public backlash alone is enough to scare anyone away from using your services in the future, not to mention the flurry of bad press that will show up on your doorstep every morning for the next few months at least. If Yahoo!’s $12.50 voucher debacle was any indication of “what not to do, and what happens when you do”, offering anything below market rate will result in a torrent of angry letters and forum posts that could destroy your reputation in seconds if picked up by the wrong journalist.

“A high priority security issue handled improperly could damage the reputation of the organisation … the development, IT and communications team are all critical components to a successful program,” Sing wrote.