Chapter 4. Building a New Feedback Loop by Starting a Bug-Bounty Program
Bug-bounty and responsible-disclosure programs are incredibly useful.
Note
Bounties and responsible-disclosure programs can be completely separate activities. I’m using them interchangeably in this chapter simply for brevity, but I highly encourage anyone looking further into launching one to specifically understand the difference and choose whatever is the right starting point for your organization.1
If you’re not working toward launching one at some point, I strongly suggest considering it. Often, security or technology leaders are worried about either about having the funds to support bug bounties or about inviting attacks on the organization. However, my experience is that these two concerns are much smaller issues than you would expect in practice.
Many organizations have embraced bug-bounty and responsible-disclosure programs in the past few years for two key reasons:
Bug bounties give you a real-time and ongoing feedback loop that highlights where your security program is succeeding and where it is failing.
Bug bounties provide an avenue and incentive for researchers to report serious vulnerabilities they previously might not have shared (or simply sent directly to the press or security mailing lists).
Because both of these reasons offer major advantages to organizations with a program in place, it’s no wonder bug-bounty programs have seen such a high rate of adoption.
In this chapter, I share experiences ...