By Anna Hammond
May 25, 2021
In this series of Bug Bounty Q&A blog posts, we discuss frequently asked questions about bug bounty programs with our CEO Stijn Jans. This week, we’ll discuss “How does Intigriti optimise for bug bounty success?”.
Stijn: This is a wonderful question to get in any conversation. It’s always a pleasure to explain the role of Intigriti.
The Intigriti platform functions as a go-between, or even a buffer, between ethical hackers and organisations. Our services towards both communities operate as a layer of quality assurance, allowing all parties involved to collaborate efficiently.
We offer our customers full triage services and a dedicated success manager. This approach benefits both the ethical hackers – or researchers, as we prefer to call them – and our customers.
For researchers, the Intigriti Success Manager functions as a representative towards the company. For companies, the value of a managed approach lies in the guidance and support they receive as they embark on a journey to improve their security with a community of people who they don’t know in person. The process of ethical hacking involves a lot of communication. Having Intigriti there to help is reassuring for all involved.
To explain in a little more detail, we have assembled a short list of what the involvement of Intigriti looks like during the different stages of a setting up a bug bounty program.
We work together with a customer in a partnership to improve their security by acting as an extension of their security team to achieve optimal results.
The success manager is the first person that will become visible in this partnership. They are an important point of contact throughout the journey: answering questions, giving advice on best practices and sharing our experience to strive for the best possible output.
Before a bug bounty program goes live, the success manager will schedule a meeting to introduce clients to the platform. With their assistance, clients set up their program details, define the scope and validate the bounty table. Depending on the experience level and the nature or extent of the program, one or more follow-up meetings take place to make sure everything gets addressed.
Building and managing the community of ethical hackers is done by Intigriti’s Head of Hackers. He knows the community, is responsible for its growth and answers any questions or challenges the community has. He knows their skills and is a magician when it comes to selecting the right resources for the right project.
Once the program is live, the Intigriti triage team comes into play. The objective of the triage team is to validate incoming submissions from researchers, communicate important findings to the clients and give technical security advice.
Validating all the researchers’ submissions is a technical feat of strength. Our triage team filters every incoming report and verifies its content on different levels. The team also ensures that the company has the time to focus on what really matters: valid vulnerability reports.
Here’s a summarised version of the steps they take before escalating reports to clients:
Review incoming reports
Decide whether the vulnerability is a genuine threat
Ensure the vulnerability is genuine and in scope
Reject reports that are out of scope
Detect and remove duplicate vulnerabilities
Ensure the information included in the report makes sense
Be the go-between communicator for the researchers and client
Assess the severity of the vulnerability, based on impact.
The triage team checks the submissions by reproducing a proof of concept (PoC). If necessary, extra information requests go to the researcher to clarify or illustrate his findings. Our team is very thorough in their reviews and they need to be, because they deal with very sensitive security information. Critical or exceptional findings are handled within a shorter period of time. All details matter and the clock is ticking!
During and after the review process, both the triage team and the success manager are sources of knowledge towards the client’s security team. They explain which vulnerabilities are found, give additional information about the vulnerability to ensure everybody understands the impact and suggest how the findings can be resolved.
That’s when the real value of triage and success management shows; together, they are the ultimate link between client and researcher, operating in all parties’ advantage.
Tasks of the triage team and the Success Manager:
Help clients to allocate submission severities
Protect both client and researcher in case of disagreements
Contact the client directly (SMS or email) when reports show critical or exceptional business impact findings
Follow up the open submissions
Remind all parties to keep exchanging findings and assign bounties and bonuses.
Creating awareness for optimisation of the program and the platform ultimately benefits both sides. That is what Intigriti sets out to achieve by combining success management and triage. Their knowledge, skills and advice are added value of bug bounty programs compared with more classic testing methods.
To reach that objective, the triage team frequently gives the success manager updates on the status of the running programs and highlights opportunities for optimisation. The analysis of results is the basis for the success manager to assist clients in keeping programs up to date and interesting.
A success manager stays in touch with clients on a regular basis, and:
Suggests program extensions
Gives input and advice for the launch of new programs
Proposes setups for temporary actions
Recommends on additional budgets
Helps in preconceiving feasible goals
How success and triage blend, shows that both teams are an extremely valuable part in the challenge of running a successful bug bounty program. The combination of them functions as a safety cushion for everybody involved and creates awareness for ultimate profitability.
Customers and researchers are never left to their own, someone at Intigriti always has their back.
Our team is ready to answer all your questions about IT security testing, the intigriti platform, pricing or anything else. Click the button below and we’ll get in touch.