5 Questions to Assess Your Organization’s Bug Bounty Readiness
It’s an inspiring feeling to see the growth in the adoption of bug bounty across industries. Yet, time and again, I hear from organizations who are unsure if their organization is ready to incorporate bug bounty into their security program. Will we have enough budget? How will we keep hackers engaged? There are many questions that come up, and they’re all important to address to understand how a bug bounty program fits in. I’ve found there are five critical questions for organizations to assess their bug bounty readiness. Let’s dive into these questions and how to answer them to evaluate your bug bounty readiness.
1. Are You Prepared to Manage Incoming Vulnerability Reports?
Naturally, the purpose of running a bug bounty program is to identify vulnerabilities beyond what your security team can find — and remediate them. However, when launching a bug bounty program, many security teams are unprepared for just how many vulnerabilities will be identified and struggle to work to address them. Without the right scoring systems in place, it can be very challenging for security teams to prioritize incoming vulnerability reports and remediate them in an organized way.
Solution: Organize and Prepare Your Activity and Scoring Platform
Security teams need an effective vulnerability activity and prioritization scoring platform to help manage the reports that come in from bug bounty hackers. HackerOne’s platform provides all the necessary insights, organization, scoring, and resources to empower security teams to effectively address vulnerabilities.
For example, our Hacktivity platform includes a CVE (Common Vulnerabilities and Exposures) Discovery feature that offers customers insights into which CVEs are being actively reported by hackers. In addition, the platform utilizes both CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) scoring, empowering strategic prioritization based on comprehensive factors.
HackerOne Customer Success Managers (CSMs) also work closely with organizations to scale hacker invites to the appropriate amount for their unique needs and goals, avoiding overwhelming security teams with an unmanageable number of hackers and reports.
2. Have You Tested Your Attack Surface?
One of the reasons many security teams are unsure if they’re ready for a bug bounty program is they don’t have a thorough understanding of the security of their attack surface. While a bug bounty program is the right goal, security teams often skip some earlier steps, such as code reviews and pentests, that help shed light on what to expect from future bug bounty reports.
Solution: Run Code Reviews and Pentests
Each code review, performed by a specialized cohort of the HackerOne community, takes a median of 88 minutes to complete and surfaces an average of 1.2 vulnerabilities. Eighteen percent of security fixes are incomplete, making them one of the most essential types of code changes to audit.
While bug bounty is generally an ongoing program, pentests typically follow a structured methodology that encompasses a comprehensive, time-bound examination of the system, focusing on identifying vulnerabilities that adversaries could exploit.
The top vulnerabilities identified through code reviews and pentests often overlap with that of bug bounty, identifying common vulnerabilities like:
In addition, the smaller scope and timeframe dedicated to code reviews and pentests make them important stepping stones toward understanding your attack surface and preparing for a bug bounty program. HackerOne pentesters can also be added to an organization’s ongoing bug bounty program, developing anchor hackers that drive even greater value.
3. Do You Have Organizational Buy-in?
Many security leaders struggle to secure initial enthusiasm and buy-in for a bug bounty from stakeholders and board members. That can be a difficult conversation to have without the right information, as it’s sometimes hard to demonstrate the return of preventing something from happening. As a result, security teams don’t receive the budgetary resources they need, and the program is run ineffectively.
Solution: Calculate Measurable ROI or Return on Risk Mitigation
It’s no secret that board members speak in the language of dollars and cents, and without a calculated breakdown of cost savings and ROI, security teams won’t be granted the appropriate budget to effectively run their bug bounty program.
According to the 7th Annual Hacker-Powered Security Report, the median price of a bug on the HackerOne platform is $500, up from $400 in 2022. The average bounty in the 90th percentile is up from $2,500 to $3,000. The cost of these vulnerabilities going unnoticed and being exploited, however, is significantly more than the cost of the bounty.
HackerOne customers consistently factor in cost savings when measuring the success of their bug bounty programs, with 59% valuing the estimated savings of reputational or customer-related incidents and 54% valuing the financial savings estimated from avoiding risk.
"Since 2019, Zoom has worked with 900 hackers, of which 300 have submitted vulnerabilities that we have had to quickly move on. We’ve paid out over $7 million. It’s a substantial investment but the returns are worth it: we find world-class talent to find real-world solutions before it’s a real-world problem."
— Michael Adams, CISO, Zoom
In many cases, HackerOne customers are successful in demonstrating the return on risk mitigation through bug bounty, strengthening the business case for a program.
“The bug bounty program is the highest ROI across all of our spend. It’s really hard to show ROI, but with bug bounty, I have a baseline. I can say, ‘This vulnerability was able to be found by someone outside the organization. Someone that was not authorized to access this system was able to access it.’ Even with vulnerabilities that are not within our program, bug bounty allows me to put a price tag on them. I can explain this business case and our stakeholders are able to prioritize bug bounty higher than other tools that also generate ROI.”
— Eric Kieling, Head of Application Security, Booking.com
See how other HackerOne customers get organizational buy-in for bug bounty.
4. Are Your Bounties Priced Right?
While there are more factors than financial compensation, 80% of hackers do so primarily for money (up from 71% in 2022). With this in mind, the level of financial incentivization is important when establishing bounties. Many organizations might think they know what the appropriate amount is for any given bug bounty, but they find a lack of engagement in their program from the hacker community. That’s because 48% of hackers will opt not to join a program if the bounties are too low.
Solution: Price Bounties With Peer Benchmark Data
Security teams don’t have to price bounties on an island. Peers in every industry have embraced bug bounty and ethical hacking. It’s essential for teams to examine average bounty costs within their industry because the averages can be vastly different from one sector to the next. For example, you can see below that the average bounty for Travel & Hospitality is $700, while in Cryptocurrency & Blockchain, it’s over $3,000.
5. Can You Keep Hackers Engaged?
While money is certainly a significant factor for hackers when selecting a bug bounty program, it’s not the only thing they find important. In fact, there are many things that can put a hacker off of a program.
As you can see, slow response times (60%) and poor communication (55%) are actually more important than low bounties (48%) for hackers being discouraged from a bug bounty program.
Solution: Make Your Program Work for Hackers
Hackers are more likely to spend time on your program when they have a relationship with your organization’s security team. So, your bug bounty program should offer more than just the bounty payment. In order to attract the best hackers, you need to communicate effectively, offer a varied scope through which hackers can learn, and invest the time to quickly remediate the vulnerabilities they identify. For example, GitHub has kept hackers engaged in their bug bounty program for 10 years with a dedicated swag store, matching bounty donations, and keeping up on their safe harbor policy.
“When I’m looking at a new program, I will look at the metrics in terms of time to triage and bounty and to what degree the program is hitting those metrics. I would advise companies to have both a public and private program. The public program will screen and interview researchers that can be moved into the private program where you can provide them with more access and resources. A private program allows you to have an elite group of hackers really digging in and finding those critical vulnerabilities. For example, some hackers specialize in reconnaissance and finding those corners of infrastructure that no one is thinking about and looking in the corners, then you have other hackers that have hundreds of servers scanning for vulnerabilities. Novelty and scale are important for delivering impactful reports.”
— Tom Anthony, Hacker
See how HackerOne customers get the best results from hackers.
Is Your Organization Ready for a Bug Bounty Program?
It’s challenging for security leaders to check all of these boxes and assess their organization’s bug bounty readiness. Managing the reports, receiving the budget, setting the right bounties, and building hacker relationships can all seem too daunting to do correctly and simultaneously.
At HackerOne, we provide the best combination of in-house expertise to run the right bug bounty program for your organization’s unique needs, with an extensive hacker community ready to go to work for you. If you want to learn more about how to run the most effective bug bounty program for your organization, contact our team at HackerOne today.
The Ultimate Guide to Managing Ethical and Security Risks in AI