1. Are You Prepared to Manage Incoming Vulnerability Reports?
Naturally, the purpose of running a bug bounty program is to identify vulnerabilities beyond what your security team can find — and remediate them. However, when launching a bug bounty program, many security teams are unprepared for just how many vulnerabilities will be identified and struggle to work to address them. Without the right scoring systems in place, it can be very challenging for security teams to prioritize incoming vulnerability reports and remediate them in an organized way.
Solution: Organize and Prepare Your Activity and Scoring Platform
Security teams need an effective vulnerability activity and prioritization scoring platform to help manage the reports from bug bounty hunters. HackerOne’s platform provides all the necessary insights, organization, scoring, and resources to help you effectively address vulnerabilities.
HackerOne Customer Success Managers (CSMs) work closely with customers to scale a program to their unique needs and goals, avoiding overwhelming security teams with an unmanageable number of researchers and reports.
HackerOne Triage further helps internal teams scale their ability to manage incoming reports, from filtering out false positives and validating reports to directly communicating with security researchers and ensuring a smooth handoff to your team for remediation. Our expert triage analysts thoroughly review incoming reports, passing on only validated vulnerabilities, accompanied by straightforward updates with detailed insights and top-line summaries. This allows your team to focus on remediation instead of report review, making your vulnerability discovery program more cost-effective, scalable, and impactful.
Make use of other resources, like the CVE (Common Vulnerabilities and Exposures) Discovery feature that offers customers insights into which CVEs are being actively reported. In addition, the platform utilizes both CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System) scoring, to allow you to prioritize reports based on comprehensive factors.
2. Have You Tested Your Attack Surface?
One of the reasons security teams are unsure if they’re ready for a bug bounty program is they don’t have a thorough understanding of their attack surface. While a bug bounty program is the right goal, security teams often skip earlier steps, such as code reviews and pentests, that help shed light on what to expect from future bug bounty reports.
Solution: Run Code Reviews and Pentests
Each code review, performed by a specialized cohort of the HackerOne community, takes a median of 88 minutes to complete and surfaces an average of 1.2 vulnerabilities. Eighteen percent of security fixes are incomplete, making them one of the most essential types of code changes to audit.
While bug bounty is generally an ongoing program, pentests typically follow a structured methodology that encompasses a comprehensive, time-bound examination of the system, focusing on identifying vulnerabilities that adversaries could exploit.
The top vulnerabilities identified through code reviews and pentests often overlap with that of bug bounty, identifying common vulnerabilities like:
In addition, the smaller scope and timeframe dedicated to code reviews and pentests make them important stepping stones toward understanding your attack surface and preparing for a bug bounty program. HackerOne pentesters can also be added to an organization’s ongoing bug bounty program, developing anchor researchers that drive even greater value.
3. Do You Have Organizational Buy-in?
Many security leaders struggle to secure initial enthusiasm and buy-in for a bug bounty from stakeholders and board members. That can be a difficult conversation to have without the right information, as it’s sometimes hard to demonstrate the return of preventing something from happening. As a result, security teams don’t receive the budgetary resources they need, and the program is run ineffectively.
Solution: Calculate Measurable ROI or Return on Risk Mitigation
It’s no secret that board members speak in the language of dollars and cents, and without a calculated breakdown of cost savings and ROI, security teams won’t be granted the appropriate budget to effectively run their bug bounty program.
According to the 8th Annual Hacker-Powered Security Report, the average price of a bug has increased 5% since 2023, from $1,066 to $1,116. The cost of these vulnerabilities going unnoticed and being exploited, however, is significantly more than the cost of the bounty.
HackerOne customers consistently factor in cost savings when measuring the success of their bug bounty programs, with 45% valuing the estimated savings of reputational or customer-related incidents and another 45% valuing the financial savings estimated from avoiding risk.
“Since 2019, Zoom has worked with 900 hackers, of which 300 have submitted vulnerabilities that we have had to quickly move on. We’ve paid out over $7 million. It’s a substantial investment but the returns are worth it: we find world-class talent to find real-world solutions before it’s a real-world problem.”
— Michael Adams, CISO, Zoom
In many cases, HackerOne customers are successful in demonstrating the return on risk mitigation through bug bounty, strengthening the business case for a program.
“
The bug bounty program is the highest ROI across all of our spend. It’s really hard to show ROI, but with bug bounty, I have a baseline. I can say, ‘This vulnerability was able to be found by someone outside the organization. Someone that was not authorized to access this system was able to access it.’ Even with vulnerabilities that are not within our program, bug bounty allows me to put a price tag on them. I can explain this business case and our stakeholders are able to prioritize bug bounty higher than other tools that also generate ROI.”
— Eric Kieling, Head of Application Security, Booking.com
See how other HackerOne customers get organizational buy-in for bug bounty.
4. Are Your Bounties Priced Right?
While there are more factors than financial compensation, 52% of researchers do so primarily for money. With this in mind, the level of financial incentivization is important when establishing bounties. Many organizations might think they know what the appropriate amount is for any given bug bounty, but they find a lack of engagement in their program from researchers. That’s because 48% of researchers will opt not to join a program if the bounties are too low.
Solution: Price Bounties With Peer Benchmark Data
Security teams don’t have to price bounties on an island. Peers across every industry have embraced bug bounty. It’s essential for teams to examine average bounty costs within their industry because the averages can be vastly different from one sector to the next. For example, you can see below that the average bounty for a critical severity vulnerability in travel & hospitality is $4,763, while in cryptocurrency & blockchain, it’s over $24,000.
Median, Average, and 95th Percentile Bounty Rewards
5. Can You Keep Researchers Engaged?
While money is certainly a significant factor for researchers when selecting a bug bounty program, it’s not the only thing they find important. In fact, there are many things that can put researchers off a program.
As you can see, poor communication is as important as low bounties for researchers being discouraged from a bug bounty program.
Solution: Make Your Program Work for Researchers
Researchers are more likely to spend time on your program when they have a relationship with your organization’s security team. So, your bug bounty program should offer more than just bounty rewards. In order to attract the best talent, you need to communicate effectively, offer a varied scope for researchers to explore, and invest the time to quickly remediate the vulnerabilities they identify. For example, GitHub has kept researchers engaged in its bug bounty program for 10 years with a dedicated swag store, matching bounty donations, and continually iterating on its safe harbor policy.
“When I’m looking at a new program, I will look at the metrics in terms of time to triage and bounty and to what degree the program is hitting those metrics. I would advise companies to have both a public and private program. The public program will screen and interview researchers that can be moved into the private program where you can provide them with more access and resources. A private program allows you to have an elite group of hackers really digging in and finding those critical vulnerabilities. For example, some hackers specialize in reconnaissance and finding those corners of infrastructure that no one is thinking about and looking in the corners, then you have other hackers that have hundreds of servers scanning for vulnerabilities. Novelty and scale are important for delivering impactful reports.”
— Tom Anthony, Security Researcher
See how HackerOne customers get the best results from researchers.
Is Your Organization Ready for a Bug Bounty Program?
It’s challenging for security leaders to check all of these boxes and assess their organization’s bug bounty readiness. Managing the reports, receiving the budget, setting the right bounties, and building researcher relationships can all seem too daunting to do correctly and simultaneously.
At HackerOne, we provide the best combination of in-house expertise to run the right bug bounty program for your organization’s unique needs, with an extensive researcher community ready to go to work for you. If you want to learn more about how to run the most effective bug bounty program for your organization, contact our team at HackerOne today.
