Once you’ve launched your program, things are far from over – in fact, they’re just beginning. And that’s not a bad thing. Depending on the scope, the number of participating researchers, and other factors, some programs will start seeing vulnerability submissions within the first hour! Bugcrowd will evaluate all of the incoming reports – and pass along anything that’s valid, in-scope, not a duplicate, and has clear replication steps. Bugcrowd will also assign each valid finding a priority rating (P1-5), based on the rating expectations that were discussed and agreed upon prior to launch (which typically follows Bugcrowd’s VRT). Findings that are not unique, valid, reproducible, or in-scope, are appropriately handled by Bugcrowd’s ASE team so that you never have to see or deal with the noise and see only signal.
Once the valid findings have been triaged by Bugcrowd, it’s now ready for you to do a final review and reward these reports as quickly as possible. The reason it’s important to be expedient is that the timely and meaningful acceptance and rewarding of findings is the single best way to show researchers exactly what they can expect from your program.
As a researcher, there’s no shortage of potential programs to participate in, and we want them to test on your program. But without having already made a submission and gone through the experience of interacting with the program owner, it’s not immediately clear to a researcher: a) how quickly will the program owner reward findings; b) if the rewards will be fair and consistent with what’s on the program brief; and c) if the program owner is truly invested and engaged in their program. These things in mind, it can be an apprehensive and unsure experience when first interacting with a new program – what if the program owner takes a month to reward or reply, pays poorly, and is overall not worth working with? Without being able to know this information up front, it’s entirely possible that one could invest hours or even days of work into a program, only to be greeted with a less than ideal experience. We want to make sure they very quickly know that won’t be the case with our program.
By responding and actioning findings quickly, fairly, and with empathy/understanding, we immediately set ourselves up as a program they can trust – and in doing so, become a program they’re far more likely to continue testing and investing effort on/into.
It’s critical to remember that there’s a person on the other end of the keyboard, who is just like you and me. They have a life, family, job, and enjoy feeling appreciated and respected. As long as you treat them with humanity, they’ll usually do so in return. Work WITH the researchers, and they’ll work with you – together, improving the security of your scope, as well as the internet as a whole.
To this end, we’ve created the acronym FRUIT, as a way to remember some of the core characteristics of an effective and engaged program owner. An effective and engaged program owner is:
Fair – Executing on the expectations set on the program brief, and rewarding researchers equitably for their effort. Remember that your bounty brief is essentially a contract between your organization and the security researchers – and it is ultimately your responsibility to ensure that the content accurately reflects the information and expectations you want to be conveyed to researchers.
Responsive – Rewarding findings in a timely fashion (ideally, never more than seven days), and quickly responding to any questions from Bugcrowd or the participating researchers. Lengthy response times jeopardize researcher goodwill and interest in continued participation. To help prevent any inadvertent delays, as noted in prior blogs as part of this same series, it’s helpful to make sure each person within your org knows and understands their expected role as part of the program, as well as having a secondary program owner to help ensure continuity if/when the primary is out.
Understanding – Recognizing that researchers are here to help – though it may not always feel like it, remember that they’re here to help you find vulnerabilities. Know that they’re well-intentioned, and treat them with the same respect that you would if they were an extension of your own team- because they are!
Invested – Doing what it takes to make a program successful – whether that means getting additional sets of credentials, increasing rewards, sharing changelogs, or increasing the program scope. Our most successful programs are led by deeply invested Program Owners. A further corollary to this point is to recognize and remember that we want researchers to find vulnerabilities! It’s easy to often feel like we should be restricting or limiting access/attack surface – when on the contrary, we should be creating an environment that is as conducive to testing as possible! Which often means being open to working with both researchers and your Account Team at Bugcrowd to gradually build out and work towards a comprehensive and all-encompassing scope.
Transparent – Being clear and honest with researchers. If you believe a finding should be downgraded, or simply something you don’t see as an issue, it’s important to offer a clear and detailed explanation to the researcher, so as to ensure that they’re aware of your point of view, so that they can either appropriately refocus their efforts, or allow for them to provide context that may not have been otherwise considered. This sort of open and transparent dialogue helps immensely in terms of building trust as well as genuine relationships that pay dividends over time. Befriending and establishing trust with a hacker who is finding great content on your program will often keep that researcher coming back well into the future – and in some cases, they may even someday come to work for you as well! Being transparent and honest with researchers is incredibly impactful, and when done right, is a boon to any program.
In short, if you can keep all of the above in mind when running your program, you’re well on the way to being an effective and engaged program owner – and of all the things that can impact program success, outside of access to the scope, your engagement is the single most powerful tool, and the single greatest indicator of as to the long term health and success of a program.
Armed with FRUIT, you’ll be a grape program owner!