The US DoJ recently released guidance on running vulnerability disclosure programs (aka bug bounties). The document is nothing earth shattering, but does provide some free advice to organizations considering such programs.
Rendition’s advice to organizations considering a bug bounty program? Think VERY carefully about how it will impact your monitoring and detection strategies. People looking for bugs will create noise in your network – a lot of it. And the noise will look like attacks, because technically they ARE attacks. How will you separate this non-malicious attack traffic from real attack traffic you should be concerned about?
Whitelisting authorized tester IP addresses is one possibility, but that increases the overall burden (and may not be reliable since many testers do not have static IP addresses). One of the ideas of a bounty program is that a researcher will find the bug and report it to you before an attacker exploits it. Unlike a normal penetration test, where code may be tested pre-release, this is simply not the case. Attackers and bounty hunters are testing your applications simultaneously.
You don’t have to pay people to test your applications, someone (probably a criminal) is already doing it for free (well, technically they are going to try to steal from you). Gone are the days when we can assume any security program can keep attackers out 100% of the time. We have to assume that attackers will compromise the network and take action when they do. Of course, taking action requires that you detect the issue in the first place.
To detect intrusions and minimize down time, you need real time monitoring. Rendition Infosec runs a 24×7 security operations center to provide such monitoring to clients. If you are considering a bug bounty program in lieu of monitoring, contact us first. Rendition can usually get you started on a monitoring program in an operational expenditure range (without the need for capital expenditure budgeting).
If you already have an active monitoring program and are considering a bug bounty program, talk to those actually doing the monitoring and figure out how the bug bounty program will impact your security. Every customer we’ve worked with who implemented a bug bounty program reported experiencing challenges that were not considered before the start of the program. While a company that specializes in bug bounties can help you work through some of those challenges, remember that they are not an unbiased party – their #1 goal is to sell you on their service.
There are a number of other concerns about bug bounty programs that we could probably write a book on. For this post, we’ve chosen to highlight what we consider to be the most critical consideration – how your program will impact your security monitoring.