(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


Re: Bug Bounty Programs, Small Startups, and Unicorns

2021-12-02 13:37:36+00:00

A friend posted a question along the lines of:

My startup is getting off the ground, we are starting to get funding, but setting up a bug-bounty program is not something we are big enough or resourced enough to pursue at the moment. What’s the best way to recognise the people who bring us issues to fix and show our gratitude without generating work, screwing up and essentially reinventing a [bad version of a] bug bounty program?

My response is this blog post; additional comments from readers are solicited below.

Short version: you are absolutely right to be reticent and careful about this – though I would tweak your bug-bounty threat model a little. Also I will make a stab at answering the actual question, below.

To use this opportunity to get a little bit of past frustration my chest: Bug Bounty Programs (BBPs) are a great idea, I support them thoroughly and believe that many, many more tech companies (especially in Britain) should be implementing them in order to solicit and manage bug feedback. However…

It’s a huge mistake to run a “homebrew” BBP

There’s a huge community of online nerds who will speculatively run Nessus against your site, find some trivial issue, and then try to extort money out of you on the basis of it.

Engaging with these people is a huge time suck, and you will screw it up / miss something / end up in pointless arguments about how much money a bug is “worth”; and even if you’re already experienced in the field of bug bounties they will assume that you are not, and they will proceed on that basis. They will even quote funding announcements back at you and threaten to tank your reputations.

And if for the sake of a quiet life you ignore these people then eventually you will miss the one person who has found an actual worthwhile security issue, who will feel aggrieved and subsequently burn you on Twitter.

Oh yeah: while I’m on this topic: set up an in-depth customised Twitter (etc) search relating to your company, and watch the hell out of it, dashboard it, etc; a good Twitter search is high-signal, low-frequency and worth its weight in bug-bounty payouts.

If you try to run an in-house BBP then you will likely screw it up over something like “scope” (“you’re not supposed to hack *that*…”) or intellectual property rights or not fixing something before the finder announces it, and/or you will suffer from a bug-reporter who has read all the BBP nightmare stories and who will attempt to paint you as a onesuch company and likewise burn you on Twitter.

There is no “win” scenario in running a homebrew BBP unless you are GAFAM with lots of $MOOLAH .

Therefore you should use an outsource bug-bounty program where you can just point reporters at them and not have to deal with all the passive aggression, the entitlement, and the huge number of irrelevancies, right? — Yes but…

Using an outsourced BBP-provider is a massive up-front cost

To get an outsource BBP you have to give $HUGE_POT_OF_MONEY up-front to the provider, who then cream off large fees and then use the residual to pay reporters over time … presumably also investing the cash while it’s sat in their bank.

If you’re (a) big and (b) serious about running a BBP then this is definitely the way to do it, because each BBP-provider comes with a social network of “reporters” and will gatekeep access to them in a reasonable way, so that you can request the provider to “release the hounds” in measured quantities and attack everything within a scope that they have required you to tightly specify.

Professional BBP providers bring discipline, practice, an objective “parenting” relationship with a large supply of reporters to deal with the assholes … everything which you need, right? And the reporters will give your site a thorough security shakedown, right?

Well yes but…

It’s also trendy in infosec to dunk on BBPs as a kind of “cheat”

Not only are BBPs still viewed with suspicion (“…isn’t it wrong to reward hackers?”) by some authorities, but even some of the people who were early instigators of BBPs are nowadays railing against them — with some justification, but it depends upon who you are.

Their arguments are subjective and generally framed along the lines of:

You, yes YOU, you are a startup and you DO NOT NEED A BUG BOUNTY PROGRAM, what you need is a SDLC and to start taking secure software development SERIOUSLY. If you want a BBP then YOU are clearly filled with shoddy developers lacking security architecture expertise and YOU aren’t taking security seriously enough, so YOU are reaching for a BBP in order to tell your customers that YOU are “doing something” about security. YOU are terrible human beings and maybe YOU should hire ME to tell YOU how to design your platform and to tell YOU when YOU are going to be fit enough to warrant a BBP, because I am an expert!

…and the sad thing is that this is kinda true, sometimes. There are (or, were until recently/pre-pandemic?) many blockchain-bro vapourware companies who bought into BBP “hype” either publicly (to reassure ignorant customers) or internally (to “save costs” on security later, rather than trying to develop secure software from the outset).

But this is a pessimistic view, and I don’t like it; not least that the media tends to oversimplify and report it as “YOU…DO NOT NEED A BUG BOUNTY PROGRAM” which contradicts my perspective re: the benefits.

So what’s a safe bet for startups?

My take: utter transparency.

I recommend a big, easy to find and simple, clear webpage, acknowledging that:

“we do not do bug bounties yet” and

“we pursue secure software development in house, and we follow X, Y, and Z secure software development methodologies, however we also acknowledge that bugs happen and can make it all the way to production” and

“we don’t have a bug bounty program yet, because before we get into that space we would like to have enough sedimented product to make it worth doing a proper BBP over the long term” and

“if you find an issue and log it via $METHOD (expect a confirmation within $TIMEFRAME) and we verify it, we will be delighted to show our appreciation with some of the following [ed: non-monetary but kinda nice] swag, or a donation in your name to one of the following N charities; but to reiterate: we do not currently do monetary rewards because it does not yet fit our business model to define a scope and to manage relationships with professional bug reporters such as yourself.”

You will still get hate from the wannabe hackers, but at least this leaves nothing to chance; having a clear statement will insulate you from the worst of the crap.
[END]

[1] URL: https://alecmuffett.com/article/15618
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.