Thirty-one valid vulnerabilities across five heavily pentested applications was a strong first-year return for our latest Bug Bounty success story.
Especially so, given that – in line with best practice – the client in question started small before expanding gradually.
Speaking at our recent ‘Client Success Stories’ event in Singapore, the cybersecurity chief at the global retailer of luxury goods recounted how its private Bug Bounty Program (BBP) had materially “enhanced security and increased compliance” and potentially prevented costly breaches.
“The ROI is easy to justify,” read his presentation slides at the Asia-Pacific (APAC) event in October.
Getting started in Bug Bounty
The speaker, whose organisation chose to remain anonymous, recalled how in the year before launching the BBP they “received quite a lot” of bug reports via multiple channels. Some ethical hackers asked for financial rewards, but there was no mechanism or policy for paying for vulnerabilities.
The lack of a formal disclosure mechanism was clearly undermining the reporting, prioritisation and remediation of vulnerabilities.
The organisation already did extensive pentesting – “but I wanted to discover what I did not know”, said the head of cybersecurity.
The case for a Bug Bounty Program was duly put to senior management. As well as discussing the organisation’s risk profile and current security testing program, a killer question was posed: if we don’t pay $2,000 for a critical vulnerability now, what will be the cost of malicious exploitation?
The daily attacks mounted by malicious hackers against the organisation put any security concerns about the activities of ethical hackers in perspective. “It’s a matter of when; it’s not about if” attacks will sometimes succeed, he reflected.
With a pilot duly sanctioned, the security team consulted the IT and finance teams, and CIO and CTO, about choosing a crowdsourced security testing platform.
Among other things, they wanted help with budgeting and to compensate for their lack of internal resource and Bug Bounty experience; a program that would dovetail effectively with their internal pentest team; and access to experienced, highly skilled bug hunters.
YesWeHack impressed with its strong use cases, “good feedback from the CTOs I spoke to” and promises of extensive customer support, especially during onboarding. “They did everything I asked for,” said the speaker, “which is why we decided to work with them as a strategic partner.”
The decision to use YesWeHack was soon vindicated. The program was “super easy to get started”, while the customer-centric support was singled out for praise. The customer success and triage teams did the “heavy lifting” – enabling the busy BBP manager to adopt a fairly hands-off approach to program management.
Bug Bounty optimisation
The manageably modest scope and bug hunter roster left enough time for experimenting and optimising of security testing.
The first critical bug surfaced after 16 days. As the process was gradually optimised, critical bounties were upped from $2,000 to $3,000 after four months, scopes were increased from three to five after six months, and hunter numbers rose from an initial 21 to 222 by the end of the first year.
A Vulnerability Disclosure Policy was launched in tandem to cover out-of-scope issues.
Bug Bounty first year in numbers
The first year saw 44 vulnerability reports submitted in total on the pentest-hardened scopes. Some 31 were deemed valid, with 25 warranting a payout. Three vulnerabilities were classified as critical, and a further six were designated as ‘high’ severity. Total rewards so far had reached $15,500, averaging $620.
A $3,000 maximum payout was earned through the discovery in a developer’s GitHub account of a file containing credentials that could have enabled the compromise of internal systems, recounted the speaker.
Another notable and lucrative find – netting the hunter a $2,000 bounty – was a firewall-bypassing remote code execution (RCE) on an API endpoint using Spring Expression Language SpEL.
Bug Bounty results vs pentesting
Bug Bounty hunting can achieve results that are typically elusive to pentesters, said the speaker, because they operate with “no limitations” and offer “multiple testing methodologies from many, many people”.
The speaker also reasoned that, because bug hunters are not (unlike pentesters) whitelisted by firewalls, it forces them to be more creative in bypassing defences. Necessity is indeed the mother of invention.
Nevertheless, the client still saw the value in continuing with traditional pentesting engagements. YesWeHack’s Pentest Management solution was under consideration.
Bug Bounty best practices
The speaker suggested that a Bug Bounty Program’s success hinges on having sufficient platform support and securing internal buy-in by communicating about the Bug Bounty model in an easy-to-understand way. For all the promise of BBPs, he also advises other program managers to carefully manage the expectations of both internal and external stakeholders.
Nevertheless, in this case study expectations were comfortably surpassed. So much so, that the speaker said the ultimate goal was to launch a public program and open the scopes to the entire YesWeHack bug hunting community.
Ready to enhance your company's security and prevent costly breaches? Connect with our experts today to launch a Bug Bounty Program.