Nowadays, there is thousands of programs on several platforms, so how would you attract hackers to you? Why would I choose your program instead of another? Why would I spend time testing your system? Think about hackers like part of your customers or investors, you have convince them to work with you, you have to promote your program like you would market your products.
One big difference with pentest is that a bug bounty program is something you build on the long term. In this article I will give some tips to charm hunters and keep them next to you.
Let’s be honest, most of the hackers in the bug bounty industry work for the money, ok this is not the only source of motivation as you will understand later but still. The main reward is important but not only.
A little bonus from time to time when a report is well detailed, when a hacker has been very imaginative as he found a bug you would never expect or when a report is not only critical but mental. When you feel hesitating, ask yourself how much you would lose if a malicous user would exploit this bug, it will probably help to make the right choice.
Some companies also like to have promo time when they increase the bounties for a short period. If you use this approach, you’ll have to inform your community otherwise it’s pointless.
However money is not the only way to reward hunters. Tee-shirt, cap, conf invit, stickers, we all love a bit of swag to make our life more colorful :)
Finally the best and easiest reward for hunters is to show them how much you respect them. Feel free to use kind words as you would do in real life when someone show you something impressive, be thankful. Deliver some nice catches!
> If you’re not familiar with SLAs, check this post on Hackerone.
As I already mentioned in the previous article 5 things to avoid in bug bounty, having a good communication is a requirement as well as having good Service Level Agreement. You basically have 4 meters with all the same level of importance for all actors:
- time to first response: notify the hacker you get the report
- time to first triage: notify the hacker if you consider the report valid or not. If yes, it’s going to be included in your internal workflow
- time to first bounty: notify the hacker how much you enjoy his work
- time to first fix: the bug is fixed
No need to say that the faster you are in all of them the better it is for everyone. Hackers won’t work for a company who need 6 month to triage a report as we want to be paid fast. Bounty on triage should be standard. And you don’t want to receive the same reports about the bugs over and over so fix should rain. Note that from the first response to the fix, the hacker deserves the right to be informed about anything.
Improve your workflow, improve your security to avoid the basic trap, create your community of hunters, refine your reward policy… Be scalable not boring!
Enlarge the scope. Regularly add new assets to make it bigger and bigger. Or add some for a limited period, this helps to keep the game fun :)
Create a private program. Some companies like to have a secondary secret program to test new features before pushing them in production. There, you can invite some of your “favorite” members of the community. From a hunter point of view, it’s very exciting to feel that privilege.
Increase the rewards. With time, your system will be more and more secure so it will harder and harder to find bugs. It’s normal to increase the payments to keep hackers involved. Think about promo time as well, it’s very well appreciated.
Release the reports. As I will explain in the next chapter, public disclosure is important for the community. Release reports time after time, hackers will enjoy those readings. For instance, every month you can release the fixed reports that are 6 months old.
Disclosed reports are one of the biggest source or learning. Sharing them is a kind of investment for the futur because you’ll help hackers to get more knowledge. And if hackers are better, they will find more bugs. Basic, simple.
This is also a nice marketing move as you show the community you care. It’s important for us to feel that companies are invested in the security industry.
Last point, and not the less, it’s always a great pleasure for a hacker to see one of his reports released. We are proud of it, it helps to get the recognition of the comrades.
As mentioned in the paragraph above, being close to the community is a real advantage but public disclosure isn’t the best way to achieve that. Take a look at the Verizon Media security team:
We are back in our "home office hours" this morning to take questions from hackers and @hacker0x01, and are also working on the next batch of event bounties! See the coins fly at https://t.co/gZGqtk8yPI #h12004— The Paranoids (@TheParanoids) April 2, 2020
This is the perfect exemple of how to maintain a good relationship with the community. They use Twitter as a canal of communication with hunters, they are represented at many security events, they sponsor infosec initiative from hackers… They are really involved in our world, more, they are part of it, and because of that the community is grateful to them and faithful to their bug bounty program.
It’s great source of inspiration for every security team.