By Anna Hammond
March 30, 2022
Watch Intigriti’s webinar recording on how to run an internal bug bounty program. Don’t miss out!
What does “internal” stand for in the context of an “internal bug bounty program’? Bug bounty programs are usually directed at security researchers who have an account with a bug bounty platform, such as Intigriti. However, there is also an option to include the employees working for the company that runs the program.
As Hacker Enablement Manager and a person who has tried this out in my previous role at a publicly traded SaaS company, I can say that the results were quite astounding. Read on to take advantage of my biggest learnings and secrets to success.
Companies often face the difficult situation that their developers not only have little cybersecurity experience, but also show minimal interest in computer security. This usually results in bad quality code when looking at it from a security perspective. The textbook approach to counteract that weakness is to install so called “security champions” within each development team. These employees take on the responsibility of ensuring released code demonstrating a robust level of security. However, in many ways, security champions are hard to find when they don’t see an immediate return of investment.
This is where the bounty table (known from bug bounty programs) comes into play.
Like the platform’s registered security researchers, employees are also motivated by a monetary reward for finding vulnerabilities in the code base they know better than anyone else. At this point, they will already start to incorporate thinking about security in their daily business routine. Additionally, they also get encouraged to search for vulnerabilities by showing off a high ranking in the program’s leaderboard by comparing themselves with their teammates.
With companies growing in team size, meaning more lines of code being written, security posture becomes increasingly hard to track. As a solution to this problem, some security teams build an inventory of assets to perform a security gap analysis. However, this task is often tedious and creates a huge workload for the executing team. Whereas, having all internal employees testing the entire code base is an alternative (and more interesting) approach to bringing the weak spots of assets into the light of the day.
Internal programs require a significant time and energy investment. My experience of running an internal program required me dedicating three months of work plus additional time from colleagues, to running the program without any support from a bug bounty platform. Most of the invested time went into the screening of vulnerabilities handed in. For fairness reasons, all findings were evaluated, and a bounty reward determined following a 4-eyes principle.
Another challenge was to enable all employees to hand in the vulnerabilities found in a secure way, where sensitive data and finding details were only visible to a selected group of people.
Setting up an internal bug bounty program together with Intigriti as your trusted bug bounty platform gives you the best of both worlds. You will educate your employees and offer them a fun program, while saving the tedious work of triaging incoming submissions at the same time.
Additionally, you get the possibility to include an arbitrary number of security researchers from Intigriti’s pool of more than 40,000 ethical hackers.
Reach out to us now and let’s get your security posture up to the highest standard! Also, make sure to watch the recording of my advise on running an internal bug bounty program. It’s free and available to watch immediately!
Pascal Schulz is a Hybrid Pentest Manager at Intigriti. Together with our selected researchers, he is making sure to provide the utmost value to our customers. In his spare time, he is an avid photographer and lover of long hikes!