Bug Bounty Program
Bug bounty program is a way to receive reports on security flaws from hackers and independent security researchers before cybercriminals can exploit those vulnerabilities.
A combination of periodic penetration tests and an active bug bounty program are the best solution to ensure that an organization has a diverse pool of testers and continuous coverage.
Processing Workflow_
-
1
Eliminate critical vulnerabilities
-
2
Learn what hackers know about your security
-
3
Reduce the risk of cybercriminals
-
4
Continuous crowdsourced security testing
How to launch a program_
Prepare
-
Choose a type of bug bounty
-
Define the Scope
-
Set Rewards
-
Establish Triage
-
Craft the Policy
-
Build the Internal Process
-
Select a Provider
Launch
-
Start Small
-
Analyze
-
Exchange Feedback
Refine
-
Scale
-
Improve
Bug Bounty validity requirements_
-
The policy should be published either on the exchange site or any trusted bug bounty platform
-
Bug bounty policy should allow intrusive testing
-
The whole infrastructure should be in scope
-
Should include structured in scope/out of scope and clear program rules
-
Should have at least Hall of Fame of bug hunters
-
Should have clear statistics on reports, rewards, SLAs