Crowd-sourced penetration testing has recently moved into the mainstream, displacing traditional penetration testing. Bug bounties, crowd-sourced penetration tests are increasingly becoming popular. For the security researchers, there are a ton of options to participate, ranging from the self-run programs to participating on consolidated platforms like BugCrowd and HackerOne.
This is, however, not the case with the vendors. The path into bug bounties can be oftentimes complex, and the most significant benefits are not always realized. This being the case, what are some of the top tips on how to get more from your bug bounty? This article describes the top six tips for participating in a bug bounty program.
1. Preparation
Selecting an experienced team for your bounty program is of utmost importance. A successful crowd-sourced penetration test involves having two teams, the researchers and the development team, actively involved in the bounty program. For an inexperienced vendor, starting out with a short-term, private bounty could help you gain experience in a controlled environment. The experience gained from the controlled program will help you plan on how to handle a larger number of researchers in a wider environment when you try a public bounty program.
2. Bounty guidelines
There is a large number of public bounties that can serve as a baseline template for your proposed test rules. Be sure to have these in place, review them, and while taking note of their differences, consider what may have led to the differences. Tailor your rules to the service being tested and provide an easy-to-understand description for the researchers. When preparing the bounty guidelines, keep in mind that the less time a researcher spends figuring out the objective of the service, the more time they will spend finding quality bugs.
3. Thematic issues
Traditional penetration tests are focused on specific areas, as explained by Sunil Kumar; they, therefore, do not find issues in the connective code between features. Crowd-sourced penetration tests, on the other hand, are scoped across the entire service. Bug bounties will allow you to pick up on issues that the overall team would consistently miss and can guide you as to where to focus your energy going forward. Also, the researchers conduct testing across the entire service, and across the whole development team, not just within only development teams.
4. Critical bugs
Crowd-sourced penetration tests researchers, also called bug bounty hunters, are often looking to earn the most from their efforts. They will therefore put lots of effort in to find many critical bugs. Critical bugs come from multiple issues that were not reported in the initial write-up.
5. Variant testing
The presence of developers on hand during a bounty can help push a patch into the staging environment even before the end of the program. Variant testing involves using these developers to look for a variant or the same bug from a different API. Developers easily find issues from retesting what they have already tested. Retesting for variances is key for critical bugs for it helps identify broader issues with the system or the processes.
6. Red Team/Blue Team
A crowd-sourced penetration test allows you to test in your staging environment in order to reduce the risks involved when testing in your production environment. The production team only uses the staging environment and, therefore, has low traffic. When testing is going on, you will have researchers from across the globe testing and reporting the issues they find. This will help in the identification of any attack since the response teams can easily follow the logs captured during the attack. As Polansky describes in his project, How to Perform Network Analysis using Wireshark, Snort, and SO, these logs can also be used later in the analysis, variant testing or retesting.
Summary
A crowd-sourced penetration test can change up the routine you have established for finding issues. Like any change in routine, there can be a few challenges at first. This article describes the top six tips for a successful bug bounty and how they can help a vendor refocus the security efforts more effectively to get a higher ROI.