CHAPTER 3 Thus far we’ve gone through a lot of theblocking and tackling basics for the planning partof your bug bounty program. Chapters 1 and 2describe many of the planning details for yourbug bounty program. You’ve determined you’re ready, primed your vulnerability managementprocesses, defined bug bounty roles and responsibilities, gone throughthe details of your bounty […]
Whoever is on bug bounty duty is responsible for alloperational work that week, as well as continuing progresson any strategic improvements to your program. Chapter 2.2.3: Brace yourself, bugs are coming In addition to setting up an on-going rotation, you’ll want to clearout the calendars of your BBT for the first week when you launch.There’s […]
As we alluded to in the assessment questionnaire, you likely alreadyhave some vulnerability management (VM) processes in place (i.e.ensuring vulnerabilities are identified and fixed in a timely manner).In any VM process, you’re going to have streams of vulnerabilitiescoming in from different sources, such as: automated scanners; issuesuncovered by security engineers, developers, or external consultants;or even […]
After having run or been a part of dozensof bug bounty programs, I can tell you thatthe experience and value derived fromthem heavily depends on taking a momentto assess where you’re at today. An initial self-assessment is critical to ensure you don’t jump off the deep end tooearly. Launching a program without this assessment can […]