- Critical Thinking - Bug Bounty Podcast
- Posts
- Program Manager’s Guide To Running a Successful Bug Bounty Program
Program Manager’s Guide To Running a Successful Bug Bounty Program
How to run a bug bounty program hackers will love to hack on.
Running a bug bounty program is pretty rough. You’ve got to balance a lot of variables - your organization’s goals and budget, fairness to hackers, managing the resources you’ve got to make it all come together - it’s a lot.
So, here are a couple of tips to help you get the most for your time and build some solid rapport with the hacker community. Take it from us - the hackers haha
1. Hack the Hackers
At the end of the day, there are only a few types of bug hunters: the greenhats (in it for the cash), the passion players (in it for the hackz - or technical intrigue), and the professionals (in it for the career boost). Let’s peak at how we can play to each of these types of hackers:
The greenhat
These hackers are in it for the cash. So find a way to pay a decent bounty, and add a $100 bonus or something like that. That goes a LONG way (much longer than the $100 is worth) to show them you appreciate their work and establish you in their mind as a good program.
Pay consistently - if you paid a bug at X before, dont spontaneously move it to X-Y. If you do, let the hacker know in advance on the report where you paid X BEFORE they reported their next bug
The passion players
These hackers are in it for the love of the game - so compliment them on their technical report and great findings.”Dang, this is an amazing chain.” or “Ah wow, you really made the stars align on that one, huh?” will be a comment they won’t forget.
If you can, give them technical insight into the backend - what caused the vulnerabilty. These hackers love to know what is going on, so if you help them understand it better, they will love you for it.
The professionals
These hackers are looking for hacking experience and great quotes to go on their website or resume. They may also care more about disclosure. Offer (either in your policy or in a comment on the report) to help them disclose the bug, give them a quote on their great work, or add them to the public hall-of-fame on your website (which you’ve got, right?)
These hackers also love to be “offered jobs” on reports. Whether you mean it or not, it may be great to imply you’d love to have them on the team - that’ll make their day and set you as a core program for them.
2. The Policy Page
The policy page of your bug bounty program is super important, as that is where most hackers will read, and then drop off if you don’t hook them. Here are a couple things we recommend to make your policy page stand out:
Clear headers for each section (### or ####) and short paragraph body - keep it concise.
Remove a lot of the template program garbage, or put it at the end in a separate section.
Avoid things like VPNs, difficult processes to get started.
Give an update on vulns that are out-of-scope or long-lasting vulns that will take a while to be fixed.
Be VERY clear about your threat model - what vulns do you like/dislike? What security boundaries are important to your organization?
Providing any of the above goodies will really make you stand out, and will help hackers get started faster on your program, even if you dont have the highest bounties in the world. Speaking of which…