05-28-20 - Pre-Launch Tips for Bug Bounty Programs

Pre-Launch Tips for Bug Bounty Programs

May 28, 2020

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

Bug Bounties

Defense in Depth: Bug Bounties

 On this episode of Defense in Depth:

Co-host Allan Alford and guest Justin Berman, head of security, Dropbox, discussed:

  • Like red teaming, you need outside eyes looking at your environment and vulnerabilities.

  • There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order.

  • There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you're still going to pay for coding errors and vulnerabilities one way or another. It's either upfront or later.

  • Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program.

  • Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed.

  • Having a consistent and clear way you handle the findings is often more important than the findings.

  • Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found?

  • Keep in mind that companies don't go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers.

  • Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire.

  • Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.

Thanks to this week's sponsor of Defense in Depth, Cmd.

Cmd

provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.

 

Steve Salinas, Deep Instinct on Prevention vs. Detection and Containment

 Upcoming Video Chat 

  

TOMORROW! Friday [5-29-20] Hacking Zero Budget Security

Join us for “Hacking Zero Budget Security: An hour of critical thinking about what you can do with an all-star security team and no budget for tools”.

It's happening on Friday, May 29th, 2020 at 10 AM Pacific/1 PM EasternLeading the conversation with me will be Matthew Southworth, CISO, Priceline and Justin Berman, head of security, Dropbox.

  

Next FRIDAY! [6-5-20] CISO Series Video Chat: Hacking the Risk Decision Making Process

Join us next Friday, June 5th, 2020 at 10 AM Pacific/1 PM Eastern for "Hacking the Risk Decision Making Process: An hour of critical thinking on how we look at risk from all areas of the business".I'll be there leading the discussion with Tony Sager, senior vp and chief evangelist, Center for Internet Security and Marnie Wilking, global head of security & technology risk management at Wayfair.REGISTER.

Brandon Traffanstedt, CyberArk on the what hasn't changed post COVID-19

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.