bug-bounty | ciso | security-testing | ethical-hacking

Launching a bug bounty program from a CISO's perspective

How can I measure the security level of our IT systems? Should I change our pentester company every year? Where should I store the results of pentest reports? Are these questions familiar to you? If so, keep reading.

Balazs PoznerNovember 18, 2020 · 5 min read · Last Updated:

Launching a bug bounty program from a CISO’s perspective

How can I measure the security level of our IT systems? Should I change our pentester company every year? Where should I store the results of pentest reports? Are these questions familiar to you? If so, keep reading.

In order to understand how bug bounty can improve security testing, let’s start with security controls, more specifically, how security controls can be implemented. In the last few years, I found too many organizations that think about controls as a checklist. Like it would be a binary: zero or one. But unfortunately, most of the case security controls do not behave like this.

In relevance to today’s topic, if you only want to get a report about your security, you will miss some crucial details. The time is getting close to admit that it’s not that simple. Controls need to be measured continuously, how effective they are, and how they could be improved.

One of the best practices is used to improve security testing to change pentesters regularly. Most of the time, the new pentester will find new vulnerabilities. And if you change it again, probably new vulnerabilities will be discovered. After that happened, we can say “issue has found in a new functionality of the product/service”, and maybe it’s true in some cases, especially if your company follows agile developing principles. But when you see a bigger picture, you will find that the human factor and the tests’ timing are essential.

The knowledge and experience of the ethical hacker matter a lot, as well as how much time it takes from the previous test.

Other vexing aspects of pentest from a CISO’s perspective are storing highly sensitive technical data in pdf documents. A valid business requirement would be to be securely connected to a ticketing system, but unfortunately, pdf is still part of pentest projects.

How can we improve this process? Using the power of crowdsourced security testing (“bug bounty”) is one solution. Of course, there are advantages and disadvantages of launching a bug bounty program, and you may have some concerns about this topic. In this article, I would like to highlight some of these based on my experience.

Launching a bug bounty program is not for everyone. An organization you can learn a lot from it, but you must consider the question carefully “Are we ready to start a bug bounty program?“. It’s a hard question. I would say: without a hardened IT environment and previous security tests, bug bounty can be a tough round for your team. Ideally, the secure software development lifecycle (SSDLC) should also be part of your company’s culture before setting up a bug bounty program.

A lot depends on how you will start. Instead of starting with an open program of the production environment, you need enhancement. I recommend starting with VDP and then adding rewards to critical assets only, then you can launch a full bug bounty program. Furthermore, it’s essential to choose the bug bounty scope carefully (we will deal with scoping in detail soon - stay tuned).

Real-world example: An exciting example of how a company can launch a bug bounty program is Red Bull. They worked with “friendly hackers” before starting a bug bounty program, and they are using their product (energy drink) as a reward instead of a monetary reward.

You may ask, “We have testing tools powered by artificial intelligence, so why should I start a bug bounty program?“. Automatic testing tools are great. They should be used, but they should be used without blind trust of the results. Sometimes they will find almost every issue in the product/service, but it is infrequent. Moreover, there are at least two reasons why they never replace ethical hackers:

  • The creativity of a human being – AI is excellent. It has an essential part in the future of cybersecurity, but no system has as much creativity as a real hacker.

  • Never underestimate the perseverance of a hacker – A motivated hacker can figure out those types of payloads you can never imagine, and that’s why they still find new bugs in the products of the biggest tech companies.

Finally, many IT security experts like to use the term “cybersecurity as a market differentiator”. There are situations where this term has valid meaning (and sometimes, it is only marketing stuff to increase the security budget or sell something). I truly believe that launching a bug bounty program may have a valid business value. A company can use a bug bounty program as a tool to build trust with all of your stakeholders. It may have a message to your future employee in the security team, or you can find new customers with it.

If you consider starting a bug bounty program, our team of security experts can help you to integrate bug bounty into your cybersecurity strategy.

Try HACKRATE!

(Image by Ferenc Szalkai.)

bug-bountycisosecurity-testingethical-hacking

Written by Balazs Pozner
CEO and Founder of HACKRATE Ltd.

Related ArticlesView All

Security regulations and best practices for fintech in 2024
February 19, 2024 · 5 min read

Read about cybersecurity regulations shaping the fintech and banking landscape and the best practices to remain compliant and protect customer data.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,hackrate,news
Help us make security testing more transparent!
February 01, 2024 · 2 min read

We launched a survey to collect expert insights that will help us improve the features & functionalities of HackGATE™ — and increase transparency and accountability in security testing.

balazs pozner
by Balazs Poznerin hackrate,ethical-hacking,security-testing,news
Cybersecurity 2024: AI threats, data phishing, and regulations
January 23, 2024 · 6 min read

Discover our predictions for 2024's biggest cybersecurity trends and learn how to stay ahead with proactive security strategies.

balazs pozner
by Balazs Poznerin hackrate,ethical-hacking,security-testing,news
The UK’s new PSTI Act for IoT devices: how it impacts you & how we can help
January 10, 2024 · 4 min read

Learn about key requirements of the UK’s new PTSI legislation, penalties for non-compliance, and how our managed VDP can help you adhere to the regulations.

balazs pozner
by Balazs Poznerin hackrate,ethical-hacking,security-testing,news
Measuring the success of bug bounty programs: outdated vs new methods
November 28, 2023 · 5 min read

Shift from outdated metrics to advanced methods to monitor the success of your Bug Bounty Programs. Learn how HackGATE's insights and control can help.

Levente Molnar
by Levente Molnarin hackrate,ethical-hacking,security-testing,news
Increasing confidence in pentests: how to hold providers and testers accountable?
November 27, 2023 · 5 min read

Explore the importance of accountability in penetration testing. Learn how to choose the right provider, set security boundaries, and monitor testing activity.

balazs pozner
by Balazs Poznerin hackrate,ethical-hacking,security-testing,news