Comment by klaussilveira
Comment by klaussilveira 9 days ago
Is there a best practices guide somewhere on how to setup a bug bounty program?
Comment by klaussilveira 9 days ago
Is there a best practices guide somewhere on how to setup a bug bounty program?
Thanks! Any good examples?
Valve comes to mind: https://hackerone.com/valve?type=team
I'm not a bounty hunter myself, but trying to think beyond the big names I found the Dutch government's <https://english.ncsc.nl/contact/reporting-a-vulnerability-cv...> as an example that looks good to me. One point of improvement could be that they're not very concrete about any reward (or the lack thereof, also fine, but better to be up front). Some of the exclusions are also a bit broad, e.g. I'd still say XSS on a static site is worth fixing even if it's not a major risk, but I can understand where they're coming from when you consider there's thousands of websites run by the government. On the plus side, they give a clear timeline so you know they're going to pick it up in a timely manner, and they have practical guidelines on what (not) to do
Just remembered: One thing I didn't like about e.g. Google's report mechanism is that it basically required a Google account. There were instructions for if you don't have one, but they didn't work (probably outdated) so you just have to agree with the extremely broad blanket statement that is the Google privacy policy. That could be something to avoid if you're setting up a policy of your own: don't require agreeing to wholly unrelated terms; hackers (in the HN sense of the word) sometimes don't take very well to that
A good experience I had was with Threema (private/encrypted chat application like Wire or Signal). The report process consisted of just sending a service account a chat message (probably there's also other ways), which was nice and easy. My report turned out to be mostly invalid (the risk was real but my imagined fix was flawed and it turned out contact discovery is a hard problem) but their answer was quick and thorough, I was impressed that they didn't just brush it off like so many orgs do.
Being on something like Hackerone, like Valve and Keybase, has pros and cons. I'm probably just old but it feels odd to me to let direct threats to your organisation be handled by a third party, sometimes even having them triage and decide whether to inform your org of a claimed vulnerability at all (recent story on HN; probably it works fine in 99% of cases), as well as it being an instance of having to sign up for something unrelated when I just want to ping an email address with the steps to reproduce. On the other hand, it standardises the whole thing so you know where to find different things if you use it more than the sporadic amount I have. I also wonder if this attracts the beg bounty hunters who see potential easy money, based on that the orgs on Hackerone seem to take reports less seriously when you didn't invest a ton of time in developing an exploit, or if the causality is reversed (maybe they chose Hackerone because they already had too many beg reports, hoping to be able to use accounts' reputation as an indicator for triage)
I work in the field so it's hard to know what info you might be missing. To me it seems quite straightforward: you post to your website somewhere that you're happy to have people probe your technical security provided that they follow coordinated vulnerability disclosure (you'll want to flesh it out a tad more than this one sentence of course) and what kind of reward you're willing to hand out for what kind of bug and in which part of the scope. Any exclusions, such as that you won't pay out to young or old people or if you're born in the wrong country and got sanctioned or so, are also things you'll want to mention up front to prevent sour grapes afterwards
Perhaps I can answer a specific question or look for good pointers if you have a specific question about this?