Bug Bounties have been a mainstay in many security programs, though they do suffer growing pains from time to time. The Hackers’ Viewpoint: Exploring Challenges and Benefits of Bug-Bounty Programs uses a qualitative approach to assess Bug Hunters’ views on Bug Bounty programs rather than those of Bug Bounty operators, a gap area noted by the authors.
The authors surveyed 61 Bug Hunters resulting in 54 complete responses. Only a small minority (3) identified as Female or other (please see more information on our Imperative of Inclusion). While this is not an ideal cross-section, the document identifies the most common reasons why Bug Hunters do what they do — join programs, the costs and benefits of those programs, why they leave them, challenges, and so on.
From a Bug Hunter’s perspective, consistent communication – or lack thereof – is a big driver when choosing and ultimately staying with a Bug Bounty program. This is an opportunity for Bug Bounties to take note, and hopefully walk away with some actionable insights:
· Responsiveness. Bug Hunters ultimately want timely responses to their inquiries. Consistency is key.
· Manage Expectations. This goes together with Responsiveness. Anxiety comes when Bug Hunters do not have clear expectations of “what’s next,” or they don’t understand the rules of the program.
· Be a Human. Remember, you aren’t dealing with a robot on the other side of a submission (or, at least we hope not), so be respectful.
These same lessons can be applied in the opposite direction, too. Most frustration can be solved by taking a step back to assess a situation, then talking it out.
The researchers provide more insights than just the communication divide. For more information, check out the full document here.