Program Manager’s Guide To Running a Successful Bug Bounty Program

by Rhynorater (Justin Gardner)

Running a bug bounty program is pretty rough. You’ve got to balance a lot of variables - your organization’s goals and budget, fairness to hackers, managing the resources you’ve got to make it all come together - it’s a lot.

So, here are a couple of tips to help you get the most for your time and build some solid rapport with the hacker community. Take it from us - the hackers haha

1. Hack the Hackers

At the end of the day, there are only a few types of bug hunters: the greenhats (in it for the cash), the passion players (in it for the hackz - or technical intrigue), and the professionals (in it for the career boost). Let’s peak at how we can play to each of these types of hackers:

• The greenhat

  • These guys are in it for the cash. So find a way to pay a decent bounty, and add a $100 bonus or something like that. That goes a LONG way (much longer than the $100 is worth) to show them you appreciate their work and establish you in their mind as a good program.

  • Pay consistently - if you paid a bug at X before, dont spontenously move it to X-Y. If you do, let the hacker know in advance on the report where you paid X BEFORE they reported their next bug

• The passion players

  • These hackers are in it for the love of the game - so compliment them on their technical report and great findings.”Dang, this is an amazing chain.” or “Ah wow, you really made the stars align on that one, huh?” will be a comment they wont forget.

  • If you can, give them technical insight into the backend - what caused the vulnerabilty. These hackers love to know what is going on, so if you help them understand it better, they will love you for it.

• The professionals

  • These hackers are looking for hacking experience, and great quotes to go on their website or resume. They may also care more about disclosure. Offer (either in your policy or in a comment on the report) to help them disclose the bug, give them a quote on their great work, or add them to the public hall-of-fame on your website (which you’ve got, right?)

  • These guys also love to be “offered jobs” on reports. Whether you mean it or not, it may be great to imply you’d love to have them on the team - that’ll make their day and set you as a core program for them. 

2. The Policy Page

The policy page of your bug bounty program is super important, as that is where most hackers will read, and then drop off if you don’t hook them. Here are a couple things we recommend to make your policy page stand out:

• Clear headers for each section (### or ####) and short paragraph body - keep it concise.

• Remove a lot of the template program garbage, or put it at the end in a separate section.

• Avoid things like VPNs, difficult processes to get started.

• Give an update on vulns that are out-of-scope or long-lasting vulns that will take a while to be fixed.

• Be VERY clear about your threat model - what vulns do you like/dislike? What security boundaries are important to your organization?

Providing any of the above goodies will really make you stand out, and will help hackers get started faster on your program, even if you dont have the highest bounties in the world. Speaking of which…

3. Offer Attractive Bounties

Money is a major motivator for most bug hunters, so let’s set some standards. Ideally, a program would have:

Lows: $300-$1000

Mediums: $1000-$3000

Highs: $3000-$10000

Crits: $10000-up

That is kinda where the industry is at right now. If you can’t make these bounties happen for your org then that’s ok, you just need to make up in other ways. For example, here are some other bounty-related ways you can stand out:

• Be consistent and clear with your rewards - when you assign a bounty, state why it got that rating, and stick to this for future vulns. If a hacker proves the same impact, then give the same bounty (or more).

• Pay fast - pay on triage or within 1 week of validation

• Provide increased bounties for difficult scope like mobile apps, desktop apps, crypto, etc.

• Treat your hackers to dinner with a $50 or $100 bonus from time-to-time: “Dinner is on us for this one!”

• Bonus for momentum, well-written reports/great PoCs, great chains, etc

Also, ofc, there are always promotions. We love directed promotions (3x on SSO related bugs, or something of the like). If possible, provide additional resources to help the hacker succeed in conjunction with these promotions to get the best results. 

4. Be human with the hackers - build relationships and communicate

When you’re a hacker and you’ve built an awesome exploit you’re excited about, it sucks to just send a ticket into the void and not hear back from the team until they assign a bounty 1 tier lower than you expected (ask me how I know). 

Any additional communication you can do with the hackers is great. For example, you might encourage the hacker with a “Dang, nice find!” or “Oh shit…That looks bad” or something like that. This always gets a smile from our side  - 100% worth the effort, trust me.

Some other good communication practices include:

• Setting up a discord or slack server (let us know if you want a channel in the CTBB Discord!)

• Setting up a VIP program for your top hackers

  • Let them tell you about hunches they may have, then investigate 😍

• Clear communication in policy page about threat model and security boundaries

• Set up “Hacker of the Quarter” bonuses or awards - could be swag, could be $. Either way, this is a best practice for sure

5. Help us hack

If you give us technical resources to help us hack better, we will love you. Here are some ideas:

• GraphQL schema or API specs

• DNS zone files

• Beta features

• Free premium accounts

• Architecture specs

• SSRF Sherrifs

• Source map files for your JS

• Source code (plz - we’ll sign NDAs!)

• Docker images

• Custom tooling to remove obfuscation (SSL Pinning, client-side encryption on web apps, etc)

• Change-log notifications

Any of these would be massively appreciated and would make the program stand out. A lot.

6. Analyze

You should know your program better than anyone else. Analyze what is going on in your attack surface and share that data with the hackers! Are 50% of your vulns AuthZ bugs? Let us know. Have you been struggling to reign in stray cloud assets? Tell me. Any information you can provide about how to better attack your org would be really great.

Here is some data you should track:

• Which pieces of scope get a lot of attention (and a little attention)?

• What vuln classes are you most vulnerable to?

• What vuln classes have triggered the greatest impact?

7. Advertise

The other possibility is that the hackers just haven’t seen/heard of your program. There are a lot of programs constantly vying for hacker’s attention. One of the ways you can stand out is by advertising with hacker influencers (such as Critical Thinking - shoot us an email at [email protected] if you wanna talk) or by spending time in hacker discords (like, for example, https://ctbb.show/discord).

That’s a wrap on this one! Here is a helpful table of many of the tips! Feel free to contact us and let us know if you’ve got questions or want anything added to the article.

Rhynorater & the CTBB team

Tips - Difficulty to Implement VS Impact to Hacker Matrix