Chapter 4: Scope and Budget

Date: September 7, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Christopher Robinson, Deana Shick Introduction By now, we hope that you have read Chapters 1, 2, and 3, and are ready to begin scoping and budgeting your Bug Bounty program. If you haven’t read those chapters and are new to Bug Bounty, we encourage you to doContinue reading “Chapter 4: Scope and Budget”

Chapter 3: Charter Your Program & Set Strategic Objectives

Date: July 28, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Deana Shick Overview If you have stumbled upon this Chapter of the Bug Bounty Framework, you may have decided that a Bug Bounty program fits your needs . Creating a program charter and defining your strategic objectives are important steps in defining why your Bug Bounty programContinue reading “Chapter 3: Charter Your Program & Set Strategic Objectives”

Chapter 2: Is a Bug Bounty Program Right for You?

Date: June 23, 2021 Authors: Sean Poris, Johnathan Kuskos, Josh Dembling, Katie Trimble-Noble, Deana Shick, Christopher Robinson Overview By now, you have read Chapter 1, and you may be wondering if a Bug Bounty program is right for your organization. You might be intrigued by the idea of interacting with researchers, and wondering about theContinue reading “Chapter 2: Is a Bug Bounty Program Right for You?”

Chapter 1: What is a Bug Bounty Program?

Date: May 4, 2021 Authors: Deana Shick, Johnathan Kuskos and Kathleen Trimble-Noble Overview  Bug Bounty programs (or, “Bug Bounties”) have quickly become a mainstay in many security programs. Bug Bounties encourage reporters (including vulnerability finders, researchers, ethical hackers, and so on) to submit vulnerabilities to an organization for rewards. This chapter covers the basics ofContinue reading “Chapter 1: What is a Bug Bounty Program?”

Announcing the Bug Bounty Framework: Demystifying Bug Bounty Programs

Date: May 4, 2021 Our Bug Bounty Community of Interest (BB COI) has been hard at work this year discussing the challenging problems many Bug Bounty programs (BBP) face, potentially including Vulnerability Disclosure Programs (VDP). Throughout our conversations and research, we noticed that there is little comprehensive guidance covering the Bug Bounty space. In anContinue reading “Announcing the Bug Bounty Framework: Demystifying Bug Bounty Programs”

Effective Communication Goes a Long Way

In response to: The Hackers’ Viewpoint: Exploring Challenges and Benefits of Bug-Bounty Programs Bug Bounties have been a mainstay in many security programs, though they do suffer growing pains from time to time. The Hackers’ Viewpoint: Exploring Challenges and Benefits of Bug-Bounty Programs uses a qualitative approach to assess Bug Hunters’ views on Bug BountyContinue reading “Effective Communication Goes a Long Way”

Call a Duck a Duck, not a Bug Bounty

In response to: https://www.darkreading.com/vulnerabilities—threats/vulnerability-disclosure-programs-see-signups-and-payouts-surge/d/d-id/1338989  While we’re happy that crowdsourced security programs are attracting positive media attention, it’s important to point out that a Vulnerability Disclosure Program (VDP) isn’t a bug bounty, and a bug bounty isn’t a VDP. Both allow for coordinated disclosure between companies and researchers, but there are some stark differences between theContinue reading “Call a Duck a Duck, not a Bug Bounty”