Build Your Bounty Program - (Part II)
Before starting your bounty program, you need to consider and define the scope. The scope is highly dependent on your company budget, resource and purpose.
The bounty program is a deal in which individuals can receive recognition and compensation for reporting security issues. It shows two concepts: reporting and reward. The core purpose when researchers submit the reports is a reward, no matter whether is a physical or spiritual reward.
You need to define the severity standard after defining the reward scope. The reward is not fixed and cannot be adjusted, and actually, the reward is highly positively correlated with severity. The severity also defines how seriously your company takes the security issue.
And finally, you have to prepare a space to announce your bounty program after well-defined. In this stage, you have multiple choices and phases in your bounty program. You can set up your internal program on your company only, set up a private bounty program for limited and invited researchers, or publicize the bounty program worldwide.
Reward
Different rewards attract different researchers.
The high reward will attract a lot of researchers and individuals to analyze your service and submit reports, but it needs a lot of manpower to read and verify these reports. On the other hand, the researchers may not want to join if you only provide the acknologyment as the reward.
Severity
The severity of security issues is highly related to the service and production of the company. For example, the web service or website is more important for social media but not so important for the IC design company.
Without the general, you can define the severity based on CVSS which is generally used to identify the severity by a numeric score and can be translated into a qualitative representation.
In the v3.0 standard, there are three parameters to identify the impact of the issue: Confidentiality, Integrity and Availability, and there are other parameters to change the score. In the worst case, a score of 10.0 means the attacker can fully control your system without any assumptions and prerequisites.
Scope and Others
To make the bounty program go smoothly you need to define the in-scope and out-of-scope cases.
The security issue has lots of definitions and severities and not all of these be considered an issue for your company. To reduce and receive the false-positive report you can define the out-of-scope issues on your bounty program. It should explicitly define the problem, like a physical attack or social engineering.
Example
Amazon provides a public bounty program based on HackerOne which defines four rewards class: Critical, High, Medium and Low and mapping to the related severity, and the biz accepted risk or information will not provide the reward.
Severity | Reward Amount (in USD) |
Critical | 10000 ~ 20000 |
High | 1500 ~ 5000 |
Medium | 350 ~ 500 |
Low | 150 |
The policy section, introduces the bounty program, its concept and its scope.
It lists all the possible in-scope domain names and service names. It also lists the out-of-scope issues and non-eligible vulnerabilities which may be considered security issues for other companies, but not included in this bounty program.