Bug Bounty for Business
Intigriti CEO, Stijn Jans, answers popular questions about bug bounty programs
At Intigriti, we love a good conversation. You can find us on Twitter, LinkedIn and Facebook. If the situation permits, we attend events and conferences. When the conversation turns to ethical hacking and bug bounty, some questions are commonly asked.
In this series of blog posts, we discuss these Frequently Asked Questions with our ceo Stijn Jans. This week, we’ll discuss “How does Intigriti optimize bug bounty success?”.
If you have any questions you’d like to ask Stijn or anyone in the team, feel free to do so via email@example.com. We’ll make sure every question gets answered, and if popular, we’ll publish it here.
Question of The Week
How does Intigriti optimize bug bounty success?
This is a wonderful question to get in any conversation. It’s always a pleasure to explain the role of Intigriti.
Let’s discuss this question with CEO Stijn Jans, who built the Intigriti platform to function as a go-between, or even a buffer, between ethical hackers on the one side and company’s internal teams of IT specialists on the other. “Our services towards both communities function as Quality Assurance, allowing all parties involved to collaborate efficiently.”
Success management and triage: your guides throughout the bug bounty adventure.
Stijn Jans: “Let me start by explaining what we do for our clients. We always offer our customers full triage services and a dedicated Success Manager. This might seem unnecessary, but we insist on working this way to ensure quality.
Every single one of our clients are ‘managed clients’, companies for whom we provide success management and triage. This approach benefits both the ethical hackers – or researchers, as we prefer to call them – and our customers.
For researchers, the Intigriti Success Manager functions as a representative towards the company.
For companies, the value of a managed approach lies in the guidance and support they receive as they embark on a journey to improve their security with a community of people who they don’t know in person. The process of ethical hacking involves a lot of communication. Having Intigriti there to help is reassuring for all involved.
To explain in a little more detail, we have assembled a short list of what the involvement of Intigriti looks like during the different stages of a setting up a so-called bug bounty program. A bug bounty program is a collaboration between companies and ethical hackers where the latter receive enumeration or ‘bug bounty’ for discovering vulnerabilities in a company’s IT-systems before these become an issue.
How Intigriti helps at every stage of a company’s journey in ethical hacking
1. Intake & start-up
Intigriti doesn’t see the relationship with customers as a typical customer – supplier relationship. We see it as a partnership. We work together with a customer in a partnership to improve their security. Together we will also build a virtual extension on their security team to achieve optimal results.
The Success Manager is the first person that will become visible in the partnership. He will be an important point of contact throughout the journey: answering questions, giving advice on best practices and sharing our experience to strive for the best possible output.
Before a bug bounty program goes live, he schedules an intake meeting to introduce clients to the platform. The complete setup of a program is covered. With his assistance, clients set up their personal program details, they define the scope and validate the bounty table. The Success Manager shares his advice based on the collective learnings from all intigriti programs.
While running the intake procedure, the Success Manager stays in touch with the other members of the Intigriti team. Together they tackle any challenge in building a suitable program. Depending on the experience level and the nature or extent of the program, one or more follow-up meetings take place to make sure everything gets addressed.
2. Follow-up & monitoring
Building and managing the community of ethical hackers is done by intigriti’s Hacker Manager. He knows the community, is responsible for its growth and answers any questions or challenges the community has. He knows their skills and is a magician when it comes to selecting the right resources for the right project.
Once the program is live, the Intigriti triage team comes into play. The objective of the triage team is to validate incoming submissions from researchers, communicate important findings to the clients and give technical security advice.
Validating all the researchers’ submissions is a technical feat of strength. Our triage team filters every incoming report and verifies its content on different levels. It also ensures that the company has the time to focus on what really matters: valid vulnerability reports.
Here are some examples of the checks performed by Intigriti’s triage team:
- Is it an actionable rather than a theoretical finding?
- Is it exploitable?
- Is it a unique vulnerability (no duplicate)?
- Is it within scope?
The triage team checks the submissions by reproducing a proof of concept (PoC). If necessary, extra information requests go to the researcher to clarify or illustrate his findings. Our team is very thorough in their reviews and they need to be, because they deal with very sensitive security information. Critical or exceptional findings are handled within a shorter period of time. All details matter and the clock is ticking!
During and after the review process, both the triage team and the Success Manager are sources of knowledge towards the client’s security team. They explain which vulnerabilities are found, give additional information about the vulnerability to ensure everybody understands the impact and suggest how the findings can be resolved.
That’s when the real value of triage and success management shows; together, they are the ultimate link between client and researcher, operating in all parties’ advantage.
Tasks of the triage team and the Success Manager:
- Help clients to allocate submission severities
- Protect both client and researcher in case of disagreements
- Contact the client directly (phone or email) when reports show high business impact findings
- Follow up the open submissions
- Remind all parties to keep exchanging findings and assign bounties and bonuses.
3. Optimization & advice
Creating awareness for optimization of the program and the platform ultimately benefits both sides. That is what Intigriti tries to achieve by combining success management and triage. Their knowledge, skills and advice are added value of bug bounty programs compared with more classic testing methods.
To reach that objective, the triage team frequently gives the Success Manager updates on the status of the running programs and highlights opportunities for optimization. The analysis of results is the basis for the Success Manager to assist clients in keeping programs up to date and interesting.
A Success Manager stays in touch with his clients on a regular basis and
- suggests program extensions
- gives input and advice for the launch of new programs
- proposes set-ups for temporary actions
- recommends on additional budgets
- helps in preconceiving feasible goals
How success and triage blend, shows that both teams are an extremely valuable part in the challenge of running a successful bug bounty program. The combination Triage/Success Manager functions as a safety cushion for everybody involved and creates awareness for ultimate profitability.
Customers and researchers are never left to their own, someone at Intigriti always has their back.
Do you want to know more?
Our team is ready to answer all your questions about IT security testing, the intigriti platform, pricing or anything else. Click the button below and we’ll get in touch.