News

In a connected world, almost every business has a presence on the internet or a business process that runs on the web. This, however, opens the business to online threats and breaches. A business needs an effective mechanism to defend itself and getting external help can be useful. One such method is to have a bug bounty program where security researchers can submit their finding related to security threats and vulnerabilities in return for a bounty award. Jarek Stanley, the Senior Program Manager for Microsoft’s Bug Bounty Program and part of the Microsoft Security Response Center talks about the benefits of running bug bounty, how to go about it and when to have one.

Economic Times (ET): How does a bug bounty program fit into the overall strategy of a company?
Jarek Stanley (JS): A bug bounty program can be a valuable extension of a company’s security response process, sending a signal to security researchers worldwide that their partnership to help protect customers is welcome and appreciated. More than a marketing device, a healthy bug bounty program has engineering support to effectively assess and respond to the vulnerability reports that are received in a timely manner.

Bug bounty programs can be beneficial for startups with limited resources, as well as for large companies with advanced Security Development Lifecycle (SDL) practices. At Microsoft we invest heavily on preventing, identifying, and remediating security vulnerabilities before our products launch. We have more than 3500 security professionals dedicated to keeping our products and customers secure, including dedicated red and blue teams that constantly assess the security of our products. Once a product or service is launched though, the Microsoft Security Response Center (MSRC) is on the front lines of working with security researchers if a vulnerability is found, ensuring we address it as quickly as possible and prepare it for deployment the world over.

Microsoft is committed to building and supporting our partnership with the security researcher community, and strongly believe that close partnerships with researchers make our customers more secure. We believe our Bug Bounty Programs, where vulnerabilities are submitted to us through Coordinated Vulnerability Disclosure (CVD), is the most effective, industry-recognized way to protect customers from undisclosed zero-day vulnerabilities. Eligible bounty submissions could include potential payments up to $250K.

ET: At what stage of it growth should an organization start thinking of having a a bug bounty program?
JS: There are a few questions an organization should ask before launching a bug bounty, and they are independent of organization size.

Do you have a security response process defined? Have you documented your servicing criteria? Do all of your internal stakeholders know their roles? These are important to how your bounty operates – you don’t want to be defining the playbook while under pressure of having new vulnerability reports streaming in.

Have threat models and a security review of your product or service been completed, and have you had any penetration tests done by security experts? How many known security bugs are already in your backlog? These questions are important to how much volume you can expect to receive and how much you may spend on bounty rewards to researchers.

Do you have researchers that report vulnerabilities to your security response team already? You may consider starting with an invitation-only bounty program to get a feel for the flow and volume before going public. Running a private program before launching a public program is great for identifying bugs in your processes.

Do you have the infrastructure and staff to manage a bounty? In addition to receiving bug reports and communicating with the vulnerability reporter (a staple for your incident response team) you’ll also have to process payments, take care of tax documentation, etc. If you don’t have the organizational support for these functions, there are several bug bounty service platforms that will host a bounty for your organization.

ET: Does it make sense for tech startups and small businesses to have bounty offers too?
JS: The extent to which other organizations invest in bounty programs varies based on resources, priorities, and the nature of the product or business. Many startups run bounty programs, often with the help of a third party bounty platform with supplemental staffing resources to triage the vulnerability reports. Even without bounty awards, we’d encourage organizations at any stage of growth to consider providing a way for external parties, be they individuals, companies, or academic institutions, to share information about potential security vulnerabilities.

Comments are closed.