Building a World-Class Bug Bounty Program (Part I: An Intro)

with No Comments

This is the first in a series of posts exploring Bug Bounty Programs (BBPs) in general, and the Program created and managed by Zenefits’ Security Team specifically.

Two years ago, the Zenefits security team made the decision to start a private bug bounty program. The purpose was simple: invite the security community to test our products and help us identify weak areas. As the head of our internal Red Team, I inherited the program when I joined in June of 2015, and since then, I’m proud that we’ve built a program that security researchers consistently claim as one of their favorites and a best-in-class managed bounty program.

An Introduction to Bug Bounty Programs

Before diving into Zenefits’ BBP, I want to discuss why a company would consider launching a bug bounty program in the first place. From conversations with many bounty program managers, I’ve found that most programs exist for the same reason: the organization wants to know about vulnerabilities in their system before those issues are discovered by anyone else. It’s a fact that any platform, software, product, or service made available via the Internet will be under attack. By inviting good hackers (AKA “security researchers”) to test them, companies can get ahead of these attacks and discover potential security issues through a report rather than via a ransomware attack, finding company data on the dark web sale, via PR firestorm on Twitter, etc.

Interestingly, the above description of BBPs sounds like it could have been borrowed from an explanation of a penetration test. While similar, there are a few critical differences between a pen test and a bug bounty program. First, pen tests tend to have a short duration, typically spanning less than two weeks; BBPs, in contrast, are usually ongoing. Second, pen tests primarily use an individual or small team to conduct their testing efforts; a BBP leverages the power of the community to bring a wide variety of skills and expertise to the testing. Third, pen tests are typically a service offering that comes with a fixed price; all BBPs that I’ve seen pay only for the results they receive (plus any administrative costs, of course). There are other differences, but these three represent the most important differences.

The concept of a Bug Bounty Program is not particularly new. An engineer at Netscape is widely credited for launching the first BBP back in 1995, and he has been lauded for contributing to the company’s success. These days, BBPs are becoming quite common, and the number of vendors who offer platforms and services around them are steadily increasing. As more companies launch their own programs, BBP managers must ensure that their programs stand out as unique in some way that will attract security researchers to and retain them in the program. Researcher retention is critical for a successful program because, as everyone in the information security industry knows, finding top talent is essential and very difficult, and security researchers are no exception.

Since the beginning, a successful bug bounty program has required collaboration between four stakeholders: the security researchers, the company’s management, the company’s security team, and the engineers that built the company’s assets. We’ll later discuss important considerations around managing each group’s expectations and how Zenefits’ guiding principles work to keep all parties involved and happy. We’ll also discuss a few real-world horror stories that highlight where programs have gone wrong.

Common Question: Aren’t we just opening ourselves up for trouble? Won’t the bad guys come after us, too, along with the security researchers?
Great question. Unfortunately, I have some bad news: you’re already a target. Put simply, if you’re online, you’re a target. Of course, different businesses may be more or less of a target depending on size, industry, media cycle, and many other factors. Consider, for example, a small business that has partnered with Facebook and is processing some of their user data; criminals are much more likely to go after the weakest link, the small business, rather than try to attack Facebook directly. As a rule: any business that’s online will be targeted at least by bots and possibly by much more advanced attackers. Having a well-run BBP will help a company detect issues before a malicious attacker can find and abuse them.

Common Question: If we launch a bounty program, will we be secure? Are there other things we should be doing?
A bug bounty program is not a solution for all things application security. Instead, it’s critical that the BBP be one part of a larger security ecosystem that includes designing security into products, providing secure coding training for your developers, implementing a software development lifecycle (SDLC), writing rainy day tests in addition to standard functional tests, conducting static code analyses, and conducting ongoing internal and external pen tests, audits, and reviews. A properly implemented BBP will the last line of defense in a defense-in-depth approach to security.

In our next post, we’ll discuss the first steps you should take toward your own BBP, when and how to ramp up a program, and why some companies should never start a BBP.