“Pentests are very costly. When you have 100 applications, if you do the math then it’s very expensive.”
Addressing industry peers at a YesWeHack event in Singapore, the head of cybersecurity testing at a large telco in southeast Asia explained why Bug Bounty Programs are “a fraction of the cost, but with benefits around timeliness and the vulnerabilities identified”.
Continuous, creative testing
This YesWeHack customer – which opted to remain anonymous – had already expanded to a ‘wildcard’ scope (meaning all internet-facing assets) only two years into a private Bug Bounty Program. They also ran a Vulnerability Disclosure Policy (VDP) through YesWeHack.
The security team adopted crowdsourced security testing to add a continuous, creative testing layer to an otherwise mature offensive security operation.
Senior management “didn’t take much convincing” to sign off on a pilot – and their open-mindedness soon paid off.
Finding bugs missed by pentests
Point-in-time pentests were conducted around 2-3 times a year per product. An ongoing Bug Bounty Program didn’t just plug the gaps between these snapshot audits; they also uncovered flaws the pentests had overlooked.
There were several reasons for this. First, the sheer size of the talent pool – more than 100,000 registered hunters – means they could find hunters with the diverse skills needed for their multifarious applications.
Second, unlike time-boxed pentesters, “hunters have all the time in the world and find very creative ways to show the flaws”, the speaker continued.
They also excelled at demonstrating the impact of vulnerabilities, he added.
Rapid – but careful – scaleup
The hunters’ ability to find bugs missed by other testing mechanisms made a “crown jewel strategy” – prioritising the most critical and therefore heavily pentested assets – a productive path forward. Scopes were only added once they had undergone extensive internal and external testing.
With guidance from a dedicated YesWeHack customer success manager (CSM), the telco’s roster of hunters was 30-strong initially, grew from 100 to 900 in just 5-6 weeks, and now stood at around 1,000.
But this was not a recklessly rapid scaleup, thanks to contingency plans devised to handle any surges in reports. A ‘War Room’ was set up to ensure – via automation, scalable processes (through Jira boards) and flexible resourcing – ongoing adherence to service level agreements (SLAs) during peak periods. Application owners and senior management were briefed in advance.
“With 1,000 hunters, you’ll find more bugs even compared to multiple pentests, so we wanted to be able to handle the load,” said the speaker.
Planning for peak periods
Their careful yet ambitious approach made sense: they were now hardening around 100 applications used by millions of customers.
“I can never overstate the importance of a governance structure,” said the speaker. “Our senior leadership are very actively involved in the program.”
YesWeHack’s leadership was involved too. The company’s CIO met the telco’s group CISO for quarterly reviews, while the CSM joined weekly meetings to discuss CVSS scores, reward grids and other key parameters.
Informal “brown bag” sessions, meanwhile, helped turn vulnerability trends into secure-development improvements. “We deep dive into a particular area and say: ‘Why does this problem exist all the time?’” said the speaker.
The telco also learned from a European counterpart after YesWeHack connected their respective security teams. “How do you keep your program fresh? How do you manage internal processes? How do you manage your workload? Some of these strategies we used.”
Keeping hunters engaged
Few strategies were more important than those devised to keep hunters engaged.
“You need to communicate with hunters on a regular basis, and the CSM team will keep you honest in terms of how fast or how slow you’ve been communicating with them,” he recalled. “It’s also important to reward them on a timely basis to keep them interested.”
But engagement still ebbs when bugs become harder to find, at which point there’s a tricky decision to make. “Do we increase the rewards to get more interest or get more pairs of eyes?” he explained.
“You want to offer high enough rewards to entice the hunters, but not too high so you deplete the budget very fast.”
‘Single pane of glass’
The benefits realised from Bug Bounty extended beyond the identification of a manageable stream of high-quality vulnerabilities.
A “single plane of glass with an aggregated risk view” that “pumped findings to an API” enabled streamlined, more judicious remediation. “We’re not talking about severity; we’re talking about risk,” said the speaker.
The Bug Bounty Program also sidestepped the “struggle with timely updates of asset management” that dogged so many security teams. “This has helped us finetune how updates are made to internet-facing systems.”
Best practices for Bug Bounty success
How might industry peers emulate their Bug Bounty success? The speaker made the following recommendations:
- Scale in phases – expanding scopes, rewards and researcher numbers gradually as your program matures
- Plan for peak periods – define roles, workflows and cross-team support in advance. Warn application teams of possible surges so they can respond quickly
- Keep hunters engaged – with clear communication, clear rules of engagement, SLAs for payments, and a dedicated internal point of contact for report management
- Manage budgets smartly – forecast wallet use, set bounty tiers carefully and plan top-ups early, especially where procurement cycles are slow
- Prevent as well as fix – identify recurring vulnerabilities and feed insights back into development
- Trust your CSM – their guidance will help you make informed, data-driven decisions
What’s next?
With all internet-facing assets already in scope after a whirlwind two years, the next milestone was launching a public program.
In the meantime, the speaker said new subprograms or seasonal reward boosts might be considered “to rejuvenate the program, get people hunting again. We’re trying to be creative about how we can keep our program fresh”.
Is your security team managing a Bug Bounty Program yet? Schedule a Bug Bounty consultation to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.
MORE BUG BOUNTY STORIES Browse interviews with YesWeHack customers operating in a variety of regions and industries
