Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Bug Bounty Field Manual For Financial Services PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 14

Welcome to Your Bug

Bounty Field Manual


More financial services organisations than ever before
are turning to hackers to help keep their customer’s
finances and data safe.

THE BUG BOUNTY FIELD MANUAL HACKERONE 1


There has been a 41 percent increase in financial service
organisations adopting hacker powered security in the
last 12 months with names such as Goldman Sachs,
Paypal and Starling Bank all using hackers to secure them.

Before you start

Before you jump into a bug bounty program, take our Whether you start off with a time bound pilot or
self-assessment questionnaire to help you determine a small scale private program, this guide will help
where you’re at and what type of program best suits answer common questions as you ramp up to a full
your needs. bug bounty program.

There are a few different options when it comes to


working with hackers. Many organisations start off
with a Vulnerability Disclosure Program (VDP), which
is where you simply give hackers a clear channel
through which to report vulnerabilities, without the
expectation of payment. A Bug Bounty Program
actively incentivises hackers to report vulnerabilities
through financial rewards. Another option is to run a
crowd-sourced pentest, which is time-bound like a
traditional pentest, but engages a wider community
of researchers with a wider skillset and only pays out
for results.

THE BUG BOUNTY FIELD MANUAL HACKERONE 2


THE BUG BOUNTY FIELD MANUAL

01. Preparation

THE BUG BOUNTY FIELD MANUAL HACKERONE 3


Preparing for Vulnerability Allocate resources

Management Running a bug bounty program is going to involve


your existing security team so it’s important to
Before you start accepting reports, you need set expectations of what the program will entail:
to make sure you have some vulnerability
management in place. This will ensure vulnerabilities • Choose a leader to own and champion the bug
are identified and fixed in a timely manner. bounty initiative and build a team.

First, you need to identify where those • Allocate roles and responsibilities for triaging
vulnerabilities are coming from; automated bug reports, communicating with hackers,
scanners, developers, security engineers, external defining and paying bounty rewards and
consultants or even social media. The second step vulnerability management - weekly rotations
is prioritisation, you need to group vulnerabilities of responsibility that fit into and around the
based on severity and pass them to your relevant team’s regular job duties are a good way to
internal owner for resolution. When you start a bug structure this.
bounty program, you’re essentially adding a new
stream of bugs into those existing vulnerability • Make sure you have the time and resource
management process. available the week you start accepting your
first bugs to deal with a large influx and to solve
When launching a bug bounty program with any initial issues.
HackerOne, you have the ability to assign a
severity to each report and integrate with multiple Running a bug bounty internally can be a lot of work
common bug tracking systems (JIRA, Service so using a platform like HackerOne to support your
Now, Mindtrack, Zendesk, Github), streamlining team will really help with resourcing.
vulnerability reporting and triage efforts.

THE BUG BOUNTY FIELD MANUAL HACKERONE 4


Preparing for Payments
Set expectations for hackers. You don’t need to Define service level agreements
initially start paying out enormous bounties. Set up
a bounty table that clearly sets out how much you Set up a well defined service level agreement (SLA) on
are willing to pay for various bugs based on severity. your policy page. Set expectations by confirming the
HackerOne can show you the average award time to triage, time to bounty and time to remediation.
amounts across the programs on our platform.
The top bounty awarded by a financial services firm Define rules
was $15,000 and last year financial services firms
paid out nearly $1 million in bounties, however, the To ensure a smooth and transparent process that
average bounty paid by financial services firms for engenders trust for both parties, include the following
a critical vulnerability on HackerOne’s platform is on your rules page:
$1664. The average for any bug is $771.
1. A well-defined scope

Set up your payment 2. Bounty structure

process 3. Qualifying vs non-qualifying vulnerabilities

Hackers come from all over the world and need to


4. Service level agreements
be paid in local currencies. HackerOne manages
payments in hundreds of different currencies and
5. Eligibility/participation requirements
handles compliance, taxation, processing fees and
exchange rates.
Read more about crafting your rules page here.

THE BUG BOUNTY FIELD MANUAL HACKERONE 5


THE BUG BOUNTY FIELD MANUAL

02. Champion Internally

THE BUG BOUNTY FIELD MANUAL HACKERONE 6


Championing a bug bounty program requires buy in from
multiple stakeholders to be on board, and it’s important
to be clear about the benefits. This will help you launch
successfully, create clear feedback loops and, ultimately
improve your security posture.
• The Security team will need to understand • While most organisations start with a small
how the bug bounty program will fit into their private program, working with hackers can still
existing processes and when they need to raise questions from the PR/Comms team.
prepare for controlled influx. Get their buy-in by demonstrating that running
• Engineering teams can be brought on board a bug bounty program can be a positive story
by empowering them to fix bugs themselves for taking security seriously.
and keep the conversation open about building Check out HackerOne’s case studies to see
security in throughout the development
how others have proudly told their stories.
process. Set expectations about when and how
the fixes will be completed and how much time If you’ve done a good job of championing internally,
this will take out of their day. you should then have a fair amount of leeway in
terms of leading decisions around changes in your
• HackerOne makes it easy to pay hackers so
Finance teams aren’t dealing with multiple scope, policy, and processes.
currencies and financial red tape. Your financial
team can help you decide whether to make a If you need any assistance in convincing internal
deposit for bounties in advance or pay as you stakeholders that a bug bounty program is a
go by credit card. good idea, we share some additional advice and
guidance here.
• Bring your Legal team on board by giving them
a say in setting the guidelines that will avoid
legal repercussions for hackers.

THE BUG BOUNTY FIELD MANUAL HACKERONE 7


THE BUG BOUNTY FIELD MANUAL

03. Launch

THE BUG BOUNTY FIELD MANUAL HACKERONE 8


Now everything’s in place, it’s time to push go and start
seeing those juicy bugs roll in.
In the beginning

To make sure you start at a manageable point,


we recommend starting with a private program, REVIEW RECAP
inviting five hackers and putting a couple of items in Some other questions to ask yourself as bug
scope. You can easily add more when you’re ready. reports start coming in:
Beginning with a manageable amount of hackers
• Are they what you expected?
contributing to your program enables you to test
your processes. • Are hackers hitting the right targets?

In the first day, expect to receive four serious, • Are they finding the types of bugs you want
non-duplicate vulnerability reports. The average to see?
customer sets a target to find ten bugs in the first
two weeks. At this stage you may need to adjust your policy
page or bounty amounts. In this scenario Hacker

Scaling up feedback is invaluable, they have a wealth of


experience and will be able to offer insight
Once you’re in the flow of triaging reports and and advice on any changes that need to be
dealing with the bugs, you can look to increase the made. Give them feedback too about report
reports you receive and incentivise participation by: preferences and what bugs you care most about

1. Increase the scope of your program - best for


if you’ve already received plenty of reports and You can read more about bug bounty first

improved security on your initial scope impressions here.

2. Add more hackers to your program - best for if


you want loads of eyes on one or two properties

3. Up your bounty amounts - best for if you want


to increase your higher severity reports.

THE BUG BOUNTY FIELD MANUAL HACKERONE 9


THE BUG BOUNTY FIELD MANUAL

What next?

THE BUG BOUNTY FIELD MANUAL HACKERONE 10


Scale your program
There are many exciting routes you can take your Scaling also comes with logistical challenges, so we’d
bug bounty program now that it’s up and running. advise automating processes as much as possible — the
Maybe you’re now looking for the next challenge more efficient those processes are, the easier it will be to
and the thrill of even bigger and better results. handle a larger load of reports.

It makes sense that the more hackers, scope and One of the most exciting places to take your bug bounty
bounty amounts you have, the bigger, more critical program is to a Live Hacking event. HackerOne has
bugs you’ll receive and the more secure you’ll helped companies such as Snapchat, Verizon Media,
become. Uber, GitLab and US Department of Defence run these
events where the top hackers fly out to hack a single
As you increase your scope, make sure you give target on the spot. They’re a great way to develop
hackers plenty of information to better aim their relationships with the hacking community and get a huge
efforts at uncovering juicy bugs. amount of bugs in a very short period of time.

As you invite more hackers to your program, you


might consider taking it public so that any hacker
can submit a bug. You’ll see a lot of noise when you See a recap of our Live Hacking event in London here.
go public but you can tamper this down with signal
requirements and amending bounty amounts to
make sure you’re only paying out large amounts for
the most critical bugs.

THE BUG BOUNTY FIELD MANUAL HACKERONE 11


Improving vulnerability management practices
Security only improves when bugs are fixed, not when • Identify where people and process problems
they are found. are causing a slow down in vulnerability
management
As the program grows, vulnerability management
processes will need to catch up. This can be a ° Understand the developer’s perspective
challenge so we’re sharing our best practices on this: and workload

• Find an owner - make sure you know whose ° Ensure bounty hunters provide
responsibility the fix will be, and that person exploitability and impact information in
communicates when it’s done so hackers’ their reports to show developers it’s worth
expectations are set. their time

• Automate - automatically alert the people who ° Learn each team’s processes for
are responsible for fixing the bugs and set time accepting work inputs and how to get a
limits for when bugs should be assigned an owner. security bug into the product backlog
e.g.
• Update hackers who are waiting for news on
° Critical: 3 - 4 hours when the bug will be fixed
° High: 3 - 4 days
° Medium: 1 - 2 weeks The financial services industry has a particularly
° Low: 1 month good reputation for delivering fast fixes, with a
median of 4 days to resolution and bounty.
• Prioritise manual efforts based on the severity of
the issue.

THE BUG BOUNTY FIELD MANUAL HACKERONE 12


Improve development
Bug bounty programs are great for finding and fixing
DEMOCRACY
loads of individual vulnerabilities, but some of the It’s important to remember that you,
greatest value will be the data that comes out of it. For your business and your hackers are all
example, for the financial services industry, cross site working together towards the same goal
scripting is the most commonly found vulnerability. of a more secure organisation. However,
Violation of secure design principles is far higher in each program will have its frustrations
the financial services industry than any other but and while a successful launch will
government. help you avoid these, remember the
following when handling a disgruntled
If you’re seeing particular patterns of bugs being
hacker:
found, it will highlight any cracks in your software
development life cycle, meaning you can move • Stay calm
towards proactively identifying and eliminating root
causes of systemic issues, improving your overall • Focus on the facts

security program. • Make use of HackerOne’s


mediation services
HackerOne provides data on:

• Number of bugs resolved


CELEBRATE MILESTONES
• Number of hackers thanked
• Number of reports rewarded Make sure to pause and recognise

• Total bounties paid your efforts in security and the great

• Bounty average work your team is doing to keep your

• Payout % of unresolved reports customers safe like Spotify has done

• Response time with their two year anniversary blog.

• Resolution time

THE BUG BOUNTY FIELD MANUAL HACKERONE 13


About Us
HackerOne is the #1 hacker-powered security platform,
helping organizations find and fix critical vulnerabilities
before they can be exploited. More Fortune 500 and Forbes
Global 1000 companies trust HackerOne than any other
hacker-powered security alternative. The U.S. Department of
Defense, General Motors, Google, Twitter, GitHub, Nintendo,
Lufthansa, Panasonic Avionics, Qualcomm, Starbucks,
Dropbox, Intel, the CERT Coordination Center and over
1,000 other organizations have partnered with HackerOne
to resolve over 80,000 vulnerabilities and award over $35M in
bug bounties. HackerOne is headquartered in San Francisco
with offices in London, New York, and the Netherlands.

Contact us to get started.

THE BUG BOUNTY FIELD MANUAL HACKERONE 14

You might also like