Crowdsourcing your bug bounty program

In this interview, David Levin, Director of Information Security at Western Union, talks about crowdsourcing their bug bounty program and the lessons learned along the way.

Why did you crowdsource your bug bounty program? What did you learn in the process?
We saw people trying to report bugs, but we didn’t have a method to handle it. People were going online on Facebook and Twitter, saying, “I’ve found a bug.” They wanted to tell somebody about it. This happened a few times. We looked at building our own program, but it was too time consuming. Who would manage the program? Who would validate the bugs reported? So we looked at a managed service. Bugcrowd takes out a lot of the legwork for our teams. We can focus on the findings and other projects while Bugcrowd leverages the world to crowdsource information and find bugs on our site. We liked that we didn’t have to build the service ourselves – we just had to go to the cloud.

The platform was fairly simple to set up. We learned how to communicate the program to the world, and also how to socialize it internally. We learned a lot around streamlining process flow and on focusing on what was really the issue.

How many bugs did you fix while using the program? How many critical issues?
We’ve seen a wide range, and that includes some critical items. Bugcrowd’s testers dig deeper in their testing than any testing previously done (either vendor provided or internally performed). They will take a URL/page and test it for many days for each page. They have found very good vulnerabilities for which we don’t have a system in place to locate. We find the service to be very valuable. No system can be proven to have zero vulnerabilities, so continuous testing at this level of depth is great.

What advice would you give to organizations considering a bug bounty program?
If you’re going to build a program yourself, you need to understand the time it will take. It’s definitely worthwhile to look at using a managed service. I’d also recommend reducing as much as you can time spent on things you already know about or on things that are not sensitive to your business (but that someone else might think is).

I think it’s also important to be fair. If you’re offering payment for finding bugs, make sure that what you are paying is competitive in the market. Have a proper agreement in place, and make sure you’re clear on what’s included and what’s not. Don’t be afraid to crowdsource it!

Financial companies in particular should not be afraid to open their doors to the outside world. There are already people out there looking for vulnerabilities. You’re allowing them a forum to openly submit these and earn a bounty for it. By leveraging a bug bounty program you can gain a significant amount of exposure, and you don’t have to spend a lot of extra time and effort building your own program.