Page 81 - Cyber Warnings August 2017
P. 81

But I have no budget!
               It’s a fallacy that ‘rewarding’ someone always refers to a financial incentive. There are many
               ‘soft’ rewards that everyone is happy with:

                   -   Allow the researcher disclose the vulnerability publicly. This credits him with the find and
                       on the flip-side shows your company is transparent about security.

                   -   Thank  the  researcher  publicly  in  your  patch  notes  or  if  this  isn’t  possible  (website
                       updates typically don’t have patch notes), create a small ‘hall of fame’ page for those
                       that have found security bugs on your site.

                   -   Send out ‘goodies’. If your company has a marketing or PR department, this is where
                       those  goodies  are  found.  T-shirts,  stress  balls,  USB  sticks  and  all  the  ‘stuff’  that  you
                       typically give out at marketing events is fair game.

                   -   Combine any of the above also works fine.


               If you have a budget
               For those with a budget you can actually pay out cold hard cash. This will depend on many
               variables, namely what kind of company you are, and how critical the vulnerability is. Paying out
               financial rewards for security vulnerabilities has distinct advantages over ‘soft’ rewards. Firstly,
               you will attract more people to your website/product and create a virtuous security cycle. More
               people  poking  around means  more  vulnerabilities  discovered.  More  vulnerabilities  discovered
               means  more  bugs  are  fixed  and  your  site/product  is  all  the  better  off  for  it.  The  higher  your
               payouts are the higher caliber of researcher that you will attract and retain.

               So how much do I pay?
               As this is dependent on many variables, I’ll merely point you to a company that’s collated plenty
               of data on this topic. The ‘what’s a bug worth’ report by bugcrowd has a very detailed matrix on
               the type of bug and type of company you are and offers guidelines on how much to pay out.
               Keep in mind you can pay out whatever you like. I’ve been paid as little as 15$ USD for finding a
               bug  in  a  VPN  service  which  allowed  me  to get free  VPN  to  over  4000$  USD for  a series  of
               critical vulnerabilities found in a widely used website. You could also take inspiration from the
               likes  of  Google,  Microsoft  and  Facebook,  who  have  very  detailed  vulnerability  disclosure
               programs,  but  I  doubt  you  have  comparable  budgets  to  these  companies.  As  a  general  rule
               though you’ll pay out less for ‘client-side’ vulnerabilities such as cross-site scripting and open-
               redirect bugs and pay out lots more for SQL injections and remote-code execution flaws.

               Fitting it into defense-in-depth

               A vulnerability disclosure program (or a bug bounty as it’s also known) is not a replacement for
               a defense in depth approach to security. Although it can replace pentesting programs in certain
               scenarios  it  does  not  mean  you  can  dispense  with  all  the  measures  that  you  should  be
               implementing (measures that for brevity, I will skip here). A vulnerability disclosure program is
               now  just  another  tool  in  your  arsenal  at  making  everything  safer,  and  building  this  program



                    81   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   76   77   78   79   80   81   82   83   84   85   86