Bug Bounty Field Manual For Financial Services PDF
Bug Bounty Field Manual For Financial Services PDF
Bug Bounty Field Manual For Financial Services PDF
Before you jump into a bug bounty program, take our Whether you start off with a time bound pilot or
self-assessment questionnaire to help you determine a small scale private program, this guide will help
where you’re at and what type of program best suits answer common questions as you ramp up to a full
your needs. bug bounty program.
01. Preparation
First, you need to identify where those • Allocate roles and responsibilities for triaging
vulnerabilities are coming from; automated bug reports, communicating with hackers,
scanners, developers, security engineers, external defining and paying bounty rewards and
consultants or even social media. The second step vulnerability management - weekly rotations
is prioritisation, you need to group vulnerabilities of responsibility that fit into and around the
based on severity and pass them to your relevant team’s regular job duties are a good way to
internal owner for resolution. When you start a bug structure this.
bounty program, you’re essentially adding a new
stream of bugs into those existing vulnerability • Make sure you have the time and resource
management process. available the week you start accepting your
first bugs to deal with a large influx and to solve
When launching a bug bounty program with any initial issues.
HackerOne, you have the ability to assign a
severity to each report and integrate with multiple Running a bug bounty internally can be a lot of work
common bug tracking systems (JIRA, Service so using a platform like HackerOne to support your
Now, Mindtrack, Zendesk, Github), streamlining team will really help with resourcing.
vulnerability reporting and triage efforts.
03. Launch
In the first day, expect to receive four serious, • Are they finding the types of bugs you want
non-duplicate vulnerability reports. The average to see?
customer sets a target to find ten bugs in the first
two weeks. At this stage you may need to adjust your policy
page or bounty amounts. In this scenario Hacker
What next?
It makes sense that the more hackers, scope and One of the most exciting places to take your bug bounty
bounty amounts you have, the bigger, more critical program is to a Live Hacking event. HackerOne has
bugs you’ll receive and the more secure you’ll helped companies such as Snapchat, Verizon Media,
become. Uber, GitLab and US Department of Defence run these
events where the top hackers fly out to hack a single
As you increase your scope, make sure you give target on the spot. They’re a great way to develop
hackers plenty of information to better aim their relationships with the hacking community and get a huge
efforts at uncovering juicy bugs. amount of bugs in a very short period of time.
• Find an owner - make sure you know whose ° Ensure bounty hunters provide
responsibility the fix will be, and that person exploitability and impact information in
communicates when it’s done so hackers’ their reports to show developers it’s worth
expectations are set. their time
• Automate - automatically alert the people who ° Learn each team’s processes for
are responsible for fixing the bugs and set time accepting work inputs and how to get a
limits for when bugs should be assigned an owner. security bug into the product backlog
e.g.
• Update hackers who are waiting for news on
° Critical: 3 - 4 hours when the bug will be fixed
° High: 3 - 4 days
° Medium: 1 - 2 weeks The financial services industry has a particularly
° Low: 1 month good reputation for delivering fast fixes, with a
median of 4 days to resolution and bounty.
• Prioritise manual efforts based on the severity of
the issue.
• Resolution time