Case Study: How Intel is Challenging the Norms of Bug Bounty Retesting

Date: August 16, 2024 Author: Chris Holt, Intel Bug Bounty Program Manager Background Bug Bounty programs are structured to take reports from external security researchers, route them to product and development teams for mitigation, and then offer rewards for verified findings. Standard program operations only leverage development team’s time to test the mitigation and confirmContinue reading “Case Study: How Intel is Challenging the Norms of Bug Bounty Retesting”

Chapter 6: Handling Disputes

Date: July 22, 2024 Authors: Logan MacLaren, Chris Holt, Adam Bacchus Respond to Disputes Like any scenario involving human interaction, you’re going to have to deal with disputes over severity assignments and payment amounts for your Bug Bounty Program.  These disputes often boil down to one single point – the researcher believes the severity assessmentContinue reading “Chapter 6: Handling Disputes”

Chapter 5: All Things Payment

Date: May 13, 2024 Authors: Logan MacLaren, Deana Shick, Christopher Robinson, Katie Trimble-Noble, Jeff Guerra, Chris Holt Introduction Vulnerability Disclosure Programs (VDP) are differentiated from a sub-classification known as Bug Bounty programs (BBP) when rewards are offered. There are many methods to determine your incentive or payment schedule. Typically, payouts are tied to one ofContinue reading “Chapter 5: All Things Payment”

Chapter 4: Scope and Budget

Date: September 7, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Christopher Robinson, Deana Shick Introduction By now, we hope that you have read Chapters 1, 2, and 3, and are ready to begin scoping and budgeting your Bug Bounty program. If you haven’t read those chapters and are new to Bug Bounty, we encourage you to doContinue reading “Chapter 4: Scope and Budget”

Chapter 3: Charter Your Program & Set Strategic Objectives

Date: July 28, 2021 Authors: Anil Dewan, Annika Erickson, Katie Trimble-Noble, Deana Shick Overview If you have stumbled upon this Chapter of the Bug Bounty Framework, you may have decided that a Bug Bounty program fits your needs . Creating a program charter and defining your strategic objectives are important steps in defining why your Bug Bounty programContinue reading “Chapter 3: Charter Your Program & Set Strategic Objectives”

Chapter 2: Is a Bug Bounty Program Right for You?

Date: June 23, 2021 Authors: Sean Poris, Johnathan Kuskos, Josh Dembling, Katie Trimble-Noble, Deana Shick, Christopher Robinson Overview By now, you have read Chapter 1, and you may be wondering if a Bug Bounty program is right for your organization. You might be intrigued by the idea of interacting with researchers, and wondering about theContinue reading “Chapter 2: Is a Bug Bounty Program Right for You?”

Chapter 1: What is a Bug Bounty Program?

Date: May 4, 2021 Authors: Deana Shick, Johnathan Kuskos and Kathleen Trimble-Noble Overview  Bug Bounty programs (or, “Bug Bounties”) have quickly become a mainstay in many security programs. Bug Bounties encourage reporters (including vulnerability finders, researchers, ethical hackers, and so on) to submit vulnerabilities to an organization for rewards. This chapter covers the basics ofContinue reading “Chapter 1: What is a Bug Bounty Program?”

Announcing the Bug Bounty Framework: Demystifying Bug Bounty Programs

Date: May 4, 2021 Our Bug Bounty Community of Interest (BB COI) has been hard at work this year discussing the challenging problems many Bug Bounty programs (BBP) face, potentially including Vulnerability Disclosure Programs (VDP). Throughout our conversations and research, we noticed that there is little comprehensive guidance covering the Bug Bounty space. In anContinue reading “Announcing the Bug Bounty Framework: Demystifying Bug Bounty Programs”

Effective Communication Goes a Long Way

In response to: The Hackers’ Viewpoint: Exploring Challenges and Benefits of Bug-Bounty Programs Bug Bounties have been a mainstay in many security programs, though they do suffer growing pains from time to time. The Hackers’ Viewpoint: Exploring Challenges and Benefits of Bug-Bounty Programs uses a qualitative approach to assess Bug Hunters’ views on Bug BountyContinue reading “Effective Communication Goes a Long Way”

Call a Duck a Duck, not a Bug Bounty

In response to: https://www.darkreading.com/vulnerabilities—threats/vulnerability-disclosure-programs-see-signups-and-payouts-surge/d/d-id/1338989  While we’re happy that crowdsourced security programs are attracting positive media attention, it’s important to point out that a Vulnerability Disclosure Program (VDP) isn’t a bug bounty, and a bug bounty isn’t a VDP. Both allow for coordinated disclosure between companies and researchers, but there are some stark differences between theContinue reading “Call a Duck a Duck, not a Bug Bounty”