Bug Bounties

Published: May 28, 2020, 1 p.m.


All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-bug-bounties/)

What is the successful formula for a bug bounty program? Should it be run internally, by a third party, or should you open it up to the public? Or, maybe a mixture of everything?

Check out this post for the basis for our conversation on this week\\u2019s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Justin Berman (@justinmberman), head of security, Dropbox.

Thanks to this week\'s podcast sponsor, Cmd.


Cmd provides a lightweight platform for hardening production Linux. Small and large companies alike use Cmd to address auditing gaps, implement controls that keep DevOps safe, and trigger alerts on hard-to-find threats. With out-of-the-box policies that make setup easy, Cmd is leading the way in native protection of critical systems.

On this episode of Defense in Depth, you\\u2019ll learn:

  • Like red teaming, you need outside eyes looking at your environment and vulnerabilities.
  • There was much debate between internal, private, and public bug bounty programs. But it was agreed that if you do them, that you do them in that order.
  • There was another concern regarding the cost of a bug bounty program. Whether you do them or not, you\'re still going to pay for coding errors and vulnerabilities one way or another. It\'s either upfront or later.
  • Those new to bug bounty programs are not aware of the additional costs of management and engaging with the researchers and white hat hackers. That is a critical part of the bug bounty program.
  • Before you begin, set up a system to manage the flow of problems reported. If not, you and your staff could very quickly be overwhelmed.
  • Having a consistent and clear way you handle the findings is often more important than the findings.
  • Have you allocated budget to remediate the findings? Are you going to need to make cases as each weakness is found?
  • Keep in mind that companies don\'t go into bug bounty programs for the same reason. Some go into it for reasons of publicity or forming relationships with researchers.
  • Communications between your engineers and the bug bounty researchers is critical. If your team is non-responsive, the bug bounty program could backfire.
  • Most people are wary of public bug bounty programs because of the low signal-to-noise ratio. As there is a rush for attention and money, the whole effort may implode.
