BUG BOUNTY ASSESSMENT AND PREPARATION

Less than 0 min read


After having run or been a part of dozens
of bug bounty programs, I can tell you that
the experience and value derived from
them heavily depends on taking a moment
to assess where you’re at today.

An initial self-assessment is critical to ensure you don’t jump off the deep end too
early. Launching a program without this assessment can actually make things worse!
Not to worry, though; to help you determine where you’re at and what type of program
best suits your needs, we’ve created an assessment questionnaire. It only takes a few
minutes to fill out, and trust me – it’s worth it.
When it comes to working with hackers, there are a few different
options. The assessment questionnaire will help you gauge
which is best for you. What are these options, you ask?
One of the biggest distinctions is whether or not you offer monetary rewards,
or “bounties,” to hackers outside of your organization that report valid security
flaws to you. Many organizations start off without bounties, with what’s called a
vulnerability disclosure program (VDP). In a bug bounty program (BBP), the
stakes are a bit higher, as you offer varying monetary rewards for issues identified
and reported to you. Another factor is time; some choose to start with a pilot
program to test the waters, which can last anywhere from a month to a year.
This guide is about running a bug bounty program, but the HackerOne platform
can also be used for vulnerability disclosure programs and crowdsourced
pen testing. You can even start off with buying just a single vulnerability!
Some HackerOne customers leverage time-bound
pilot programs in lieu of a pen test. This is another
great way to dip your toe into bug bounties.
We encourage our customers to run the bug
bounty program that works best for them. Whether
private or public, time-bound versus ongoing, a
program offering cash bounties or sticking to swag
only – we work together to create the best blend
for your organization and will grow with you.
Alright… now let’s begin our journey into bountyland!

PREPARATION

This is the most important step in any bug bounty
initiative. As mentioned earlier, it’s tempting to
jump straight off the deep end, but whether or not
you do a bit of prep work can make or break your
experience. Organizations that hit all the right notes
get amazing ongoing value out of their program.
Those who don’t can end up getting burned

Related articles

  1. BUG-BOUNTY FIELD

CHAMPION INTERNALLY

CHAPTER 3 Thus far we’ve gone through a lot of theblocking and tackling basics for the planning partof your bug bounty program. Chapters 1 and 2describe many of the planning details for yourbug bounty program. You’ve determined you’re ready, primed your vulnerability managementprocesses, defined bug bounty roles and responsibilities, gone throughthe details of your bounty […]
  1. BUG-BOUNTY FIELD

BUG BOUNTY DUTY

Whoever is on bug bounty duty is responsible for alloperational work that week, as well as continuing progresson any strategic improvements to your program. Chapter 2.2.3: Brace yourself, bugs are coming In addition to setting up an on-going rotation, you’ll want to clearout the calendars of your BBT for the first week when you launch.There’s […]
  1. BUG-BOUNTY FIELD

Vulnerability Management

As we alluded to in the assessment questionnaire, you likely alreadyhave some vulnerability management (VM) processes in place (i.e.ensuring vulnerabilities are identified and fixed in a timely manner).In any VM process, you’re going to have streams of vulnerabilitiescoming in from different sources, such as: automated scanners; issuesuncovered by security engineers, developers, or external consultants;or even […]
Next