A bug bounty program is among the most impactful additions to a software security process. With a bug bounty program, security researchers submit reports on potential vulnerabilities, typically with the promise of a reward or "bounty" for their efforts.
Not all bug bounty programs are created equal, however. There is a right way and a wrong way to get reports that will actually help an organization improve its security. Kymberlee Price, senior director of Researcher Operations at Bugcrowd, is well versed on the topic, as she helps keep multiple bug bounty programs and thousands of security researchers aligned.
Bugcrowd provides a hosted, managed platform for enabling bug bounty programs. The company's inaugural State of Bug Bounty Report provided insight into 30 months of bug submissions, during which Bugcrowd received 37,227 submissions from security researchers across 166 bug bounty programs.
Running a successful bug bounty program involves more than just providing an email address that researchers can use to submit flaws. Bug bounty programs should also have a standardized submission form to help sort the incoming flow of research, Price suggests.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"Be sure to write a really comprehensive bounty brief," she advised. "Also be sure that you're not encouraging bad behavior."
Examples of bad behavior include recognizing researchers for a submission that is not deserving of the honor.
Watch the full video interview with Kymberlee Price below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.