The Beginners’ Guide

to Bug Bounty Programs

Hackers can provide continuous security at the speed
of innovation.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 1

 The last several years have seen the most destructive
data breaches of our time. 2019 was another year of
numerous and highly damaging data breaches that
put hundreds of millions of consumers at risk. But it
could have been worse. Tens of thousands of security
vulnerabilities were eliminated with the help of hackers.

Hackers are no longer anonymous guns-for-hire. According to Gartner’s “Emerging Technology

Everyone from the financial services industry, to Analysis: Bug Bounties and Crowdsourced Security
e-commerce giants, to government agencies has Testing” report, crowdsourced security testing is
embraced hackers as part of a mature, proactive “rapidly approaching critical mass.”
security strategy.
Over $74 million in bounties have been awarded to
It’s not hard to see why. Businesses process more hackers for identifying more than 140,000 security
data—and more personal data—than ever before. vulnerabilities. Each one of these vulnerabilities
As companies work overtime to push code, criminals posed real-world risk to an organization. Combined,
work overtime to find vulnerabilities. they represent a clear picture of the real-world risks
we face today.
Your job is to reduce the risk of a security incident,
protect your brand and assets, and ensure the In The Beginners’ Guide to Bug Bounty Programs
security of your customers and their valuable data. we will look at how organizations include Starbucks,
Keeping those assets secure is a non-stop endeavor LendingClub, Airbnb, GitHub, Hyatt, Verizon Media,
that requires highly-technical and specialized skills— Priceline, Nintendo and Google Play are working
but equipping your organization with this toolbox be with hackers to protect their customers and brands.
prohibitively expensive. It’s almost impossible to scale
security with internal resources alone.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 2

 Introduction to
Hacker-Powered KEEP OUR PEOPLE SAFE
We know that state-

Security sponsored actors and black-

hat hackers want to challenge
and exploit our networks. We
Before we dive into bug bounty programs, let’s define know that. What we didn’t
hacker-powered security. Hacker-powered security fully appreciate before this
is any technique that utilizes the external hacker
pilot was how many white-hat
community to find unknown security vulnerabilities
and reduce cyber risk. Common examples include hackers there are who want
bug bounty programs, hacker-powered pentests, and to make a difference, who
vulnerability disclosure policies. want to help keep our people
and our nation safer.
Hacker-powered security arms organizations with the
skills, experience, and nonstop coverage of creative
and experienced hackers and researchers. These
A SH CARTER ,
finders work to identify vulnerabilities before they can
be exploited by criminals. It’s a fast, structured, and DEPARTMENT OF DEFENSE

proven model for crowdsourcing the right expertise,

applying it when and where you need it, and paying RE AD TH E CASE STU DY
only for results. Think of hacker-powered security as
an extension of your in-house security team, but with
nearly limitless capabilities and an elastic, on-demand
usage model.

Bug bounty programs offer continuous testing to

secure applications that power your organization. In this customer story, Security
Specialist Liam Somerville tells
HackerOne why their 7-person strong
security team relies on hackers to be a
key force multiplier.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 3

 Important Terms

Hacker: One who enjoys the intellectual challenge of Private Bug Bounty Program: A limited access
creatively overcoming limitations. program that select hackers are invited to
participate in for a chance at a bounty reward.
Hacker-Powered Security: Any goal-oriented
hacking technique that utilizes the external hacker Time-Bound Bug Bounty Challenge: A limited
community to find unknown security vulnerabilities access program with a pre-determined time frame
and reduce cyber risk. Common examples include where select hackers have a chance at earning a
private bug bounty programs, public bug bounty bounty award.
programs, time-bound bug bounty programs,
hacker-powered penetration testing for compliance, Vulnerability: Weakness of software, hardware or
and vulnerability disclosure policies. With hacker- online service that can be exploited.
powered security testing, organizations can identify
high-value bugs faster with help from the results- Vulnerability Disclosure Policy (VDP): An
driven ethical hacker community. organization’s formalized method for receiving
vulnerability submissions from the outside world,
Hacker-Powered Pentest: A limited access sometimes referred to as “Responsible Disclosure.”
program where select hackers apply a structured This often takes the form of a “security@” email
testing methodology and may be rewarded for address. The practice is outlined in the Department
completing security checks. of Justice (DoJ) Framework for a Vulnerability
Disclosure Program for Online Systems and defined
Hacktivity: Hacker activity published on the in ISO standard 29147.
HackerOne platform.

Public Bug Bounty Program: An open program

any hacker can participate in for a chance at a
bounty reward.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 4

 What is a Bug Bounty Program?

The bug bounty program is the most advanced form provide clear guidance for external parties to report
of hacker-powered security. It provides continuous security weaknesses to an organization so they can
security testing and vulnerability reports from the be resolved. The principal difference is that VDPs
hacker community. simply create a framework for interacting with and
accepting help from the security community, while
When a new bug bounty program is launched, in 77% bug bounty programs actively incentivize that
of the cases, hackers find the first valid vulnerability work by offering rewards for vulnerabilities that the
in the first 24 hours. That is how fast security can community discovers.
improve when hackers are invited to contribute.
Bug bounty programs include incentive structures
Bug bounty programs can be either public or private. and processes designed to encourage individuals
Public bug bounty programs, like Starbucks, GitHub, with a range of experience and talent to identify
and Airbnb, are open to everyone, while private and report potential security vulnerabilities so they
programs require organizations to invite hackers to can be safely resolved before they’re exploited. No
participate. Public programs are open to the widest money changes hands until after the vulnerability
range of hacker diversity and therefore produce is reported, validated, and determined to be in line
superior results. On average, public bug bounty with the program terms, as defined in the policy
programs have engaged six times the number or security page. Done properly, a bug bounty
of hackers reporting valid vulnerabilities. That program can be an enormous boost to your
number nearly doubled in 2019. organization’s security.

Private programs make up 79% of all bug bounty

programs on HackerOne, whereas public programs
make up the remaining 21%. By starting with a private
program, security teams can then work with a smaller
STARTING WITH SECURITY@
group of hackers to identify unknown and easily found
vulnerabilities as they optimize internal security A Vulnerability Disclosure Policy (VDP) will
processes. This allows them to become comfortable help you create your process for monitoring,
with the volume and types of vulnerability reports they managing, vetting, responding to, and fixing
might expect to receive before advancing to a public reported vulnerabilities. It’s a great first step to
bug bounty program. dealing with incoming bug reports and building
a team and a process for handling those reports.
Bug bounty programs are very similar to vulnerability To learn more about this security best practice
disclosure policy (VDP). VDPs are referred to as the check out, the 5 critical elements to a VDP.
“see something, say something of the internet” and

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 5

 Public? Private?
Either Way, It’s Yours
No matter how you choose to structure your They give you better coverage and exposure
bug bounty program, it can be entirely private, to hackers, and can also be publicized to show
blatantly public, or anywhere in between. Here’s your customers how much effort you’re putting
how they differ. into security. But even public programs are
customizable: bug reports can remain private and
Private programs are known only to those redacted, disclosure timeframes are up to you,
hackers you choose to invite based on skills, bounty values are yours to set, and many other
experience, location, or other attributes. But every elements can be controlled as you wish. Private bug
report, participant, bounty, and other aspect of bounty programs currently make up 79% of all bug
the program is totally private. bounty programs on HackerOne. You can see more
statistics and analysis in The 2019 Hacker-Powered
Public programs are open to all hackers and can Security Report.
maximize both your program’s visibility and the
volume of participants and their varying skills.

A FULLY-MANAGED HACKERONE BUG BOUNTY PROGRAM

Our experts will design, manage, and support your bug bounty program from end to end. Here’s how it works:

1 3 5

2 4

Hacker searches for HackerOne promptly Your team receives

vulnerabilities communicates with only valid, well-
Hacker submits it to HackerOne triages all
the Hacker documented
your organization submissions
vulnerability reports

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 6

 More than 140,000 security vulnerabilities
(and counting!) have been eliminated with help
from hackers on HackerOne. Combined, these
vulnerabilities represent a clear picture of the APPLICATION TESTING
real-world risks we face today. Want to learn what
When the same internal
the most common threats are? The HackerOne
teams are testing an
Top 10 Most Impactful and Rewarded Vulnerability
Types is an interactive site allowing you to explore application for a long time,
bounty award levels, severity scores, total report they lose that ‘fresh-eye’
volumes, and more.
perspective that often helps
in finding interesting bugs.
HackerOne Bounty provides a managed, turnkey
bug bounty program with all the flexibility,
expertise, and resources needed to integrate
bug bounties into your security apparatus with VL ADYSL AV CHEREDNYCHENKO,

little effort and little disruption. Our experts work IN FORMATION SECURIT Y
with you to design, manage, and support your ENGI NEER , ABOUT YOU

program from end-to-end, ensuring a smooth

launch and seamless integration into your security
efforts. For those new to bug bounty, this is a
great entry point. For those experienced, it’s a
fast way to support the training, payments, hacker
vetting, report tracking, compliance, and other
considerations that are outside your core mission.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 7

 Why Work with Hackers
Organizations as diverse as Starbucks, Airbnb,
GitHub, Verizon Media, Lending Club, PayPal,
Google and Intel and Twitter are using bug bounty
programs to reduce risk and protect customers CRITICAL IMPORTANCE
and their brands. Your customers, partners, and
Cybersecurity is of critical
even government agencies and industry groups
importance to Priceline. This
now expect you to leverage the wisdom and power
of the vast hacker community. It improves and is why we are enhancing this
scales your security capabilities, helps protect essential layer of protection
your assets and strengthen your brand, and
with our expanded bug
demonstrates innovation.
bounty program.
Security flaws aren’t shameful; they’re a fact
of software development. No matter how many MATT SOUTHWORTH ,
processes or security measures you put into
CHIEF IN FORMATION SECURIT Y
place, it’s impossible to prevent all vulnerabilities. OFFICER , PRICELI NE
But with a bug bounty program, you can extend
your processes to handle these bugs safely and
efficiently by inviting hackers to assist you. The
best part is that it’s pretty easy to get started and
to scale your efforts, as long as you plan your path.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 8

 Overcoming Resistance to Working
with Hackers
Hacking is here for good—for the good of all of us.

We cannot prevent data breaches, reduce cyber Some points to keep in mind when discussing bug
crime, protect privacy or restore trust in society bounty programs and hackers with legal, finance
without pooling our defenses and asking for external and PR teams:
help. Cybersecurity has rightfully become a company-
• Current security measures can’t catch every
wide responsibility that goes beyond just security and
vulnerability. Bug bounty programs can catch
IT teams.
business logic issues that a scanner will miss.

A public-facing security solution, such as your bug • Bug bounty programs offer ongoing testing
bounty program, could involve buy-in from legal, unlike point-in-time testing.

finance, and even the Board of Directors. However,

• Bug bounty programs enlist the help of
people outside security and IT, such as legal, finance, experienced hackers to f ind vulnerabilities
and public relations teams, don’t necessarily know before attackers do.
that it’s possible to improve your security posture by
• Bug bounty programs have become a best
safely leveraging the external research community—
practice in the industry and are used by
and by implementing a formal policy that spells out
companies and governments around the world
what can be tested and what cannot.
including Goldman Sachs, the U.S. Department
of Defense, and Hyatt Hotels.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 9

 The following entities can be Department of Justice (DoJ) ENISA: Economic Union Agency for
cited as support for working with published a Framework for a Network and Security: recommends
ethical hackers: Vulnerability Disclosure Program VDPs for the government and
for Online Systems. https://www. private organizations.
justice.gov/criminal-ccips/page/
f ile/983996/download

Hack DHS: requires the ISO 29147: recommends NIST Cybersecurity Framework:
Department of Homeland Security vulnerability disclosure as a best Provisionally added RS.AN-5 which
to implement a VDP and Bug practice and offers guidelines on recommends that processes are
Bounty Program. how to include in their processes established to receive, analyze and
when receiving information respond to vulnerabilities disclosed
about potential vulnerabilities to the organization from internal
from external individuals or and external sources (e.g. internal
organizations. testing, security bulletins, or
security researchers).

The earliest recorded bug bounty program dates have awarded hackers over $70M in bug bounties
back to 1983. The practice was first scaled in the to hackers for safely reporting over 140,000
enterprise by Google, Facebook and Microsoft over vulnerabilities and to a growing community of
the past half-dozen years. As of 2019, more than 500,000 hackers.
1,600 active hacker-powered security programs
are run by organizations today including The Do you require strict finder verification capabilities?
U.S. Department of Defense, General Motors, Download this datasheet to learn about
Google, Goldman Sachs, PayPal, Hyatt, Twitter, HackerOne’s Advanced Vetting for organizations
GitHub, Nintendo, Lufthansa, Microsoft, MINDEF that require strict finder verification and enhanced
Singapore, Panasonic Avionics, Qualcomm, program controls.
Starbucks, Dropbox, and Intel. These organizations

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 10

 Who are the Hackers?
Another common question is, who are these hackers? But what if someone demonstrates explicit
Or, aren’t they criminals? No. Security experts may disregard for the rules? They have a name: criminals.
be described using a variety of titles including hacker,
ethical hacker, white hat, security researcher, bug If you are operating a bug bounty program, it
hunter, and finder. One title is conspicuously absent: is critical that you employ a vocabulary that
criminal. Hackers are not criminals. Specifically, bug distinguishes between vulnerability and breach.
bounty platforms offer no benefit to someone with A bug bounty program is not an invitation to
criminal intent. On the contrary, reputable bug bounty be breached—these programs encourage the
platforms will record data about every hacker on the discovery of vulnerabilities that could lead to
platform and only reward actions that follow the rules. a breach (if left undiscovered). Of course, the
For these reasons, criminals go elsewhere. likelihood of a breach in the first place is reduced
for those running a bug bounty program.
What if hackers do something bad? This is where it is
essential for vendors to clearly define the scope of the A properly structured bug bounty program will
bug bounty program. To set hackers up for success, authorize participants to search for vulnerabilities
the program scope should be detailed and regularly so long as a specific set of rules are adhered
updated. The bug bounty vendors should, among to. All participants in HackerOne programs are
other things, be able to background check hackers, under instruction to Respect Privacy and Do No
know what their reputation is, what their skillset is, Harm. Just as with any authorized security test,
and have personal relationships with their hacking an inadvertent access of data by an authorized
community. Some platforms require agreement to participant does not trigger statutory breach
disclosure guidelines and codes of conduct. Extortion notification requirements.
and blackmail are strictly forbidden. Criminals will
attempt extortion tactics whether or not you have a
bug bounty program.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 11

 Why do Hackers Hack?
Youthful, hungry for knowledge, and creative. Nine company and government agency joining HackerOne
out of 10 hackers are under 35, while 8 out of 10 are every day—such as the Hyatt Hotels, Airbnb, GitHub,
self-taught. More and more are coming from diverse Starbucks, HBO, U.S. Department of Defense,
industries outside of technology, allowing them to General Motors, Alibaba, Goldman Sachs, Toyota and
bring myriad skillsets and perspectives to bear on more—comes curiosity and a genuine desire to help
their bug hunts. They’re also hacking more than ever, the internet become more secure (9%).
with more than 40% spending 20-plus hours per
week searching for vulnerabilities and making the Every 5 minutes, a hacker reports a vulnerability. Every
internet safer for everyone. Hackers’ motivation to 60 seconds, a hacker partners with an organization on
join is not solely centered around bounties. Nearly HackerOne. That’s more than 1,000 interactions per
three times as many hackers (41%) begin hacking to day towards improved security.
learn and to contribute to their career and personal
growth, and nearly as many hack to have fun (13%) as For a deep dive into the hacker community, checkout
those who do it for the money (14%). With each new the 2019 Hacker Report.

555K+ 140K+ $74M+

TOTAL TOTAL VALID TOTAL
REGISTERED VULNERABILITIES BOUNTIES
HACKERS SUBMITTED PAID

*As of November 2019

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 12

 What Are The Most Common
Vulnerabilities Hackers Report?
HackerOne customers have received more than Risk is a fact of life. Today, technology unicorns,
140 ,0 0 0 (and counting!) valid security vulnerabilities governments, startups, financial institutions, and
across more than 1,600 programs of all sizes. open source projects are embracing collaboration
Combined, they represent a clear picture of the with hackers to identify their unknown vulnerabilities.
real-world risks we face today. What are the most impactful vulnerabilities that may
not be in the OWASP Top 10?
The HackerOne Top 10 Most Impactful and Rewarded
Vulnerability Types is an interactive site allowing you You can view the data on the The HackerOne Top 10
to explore bounty award levels, severity scores, total Most Impactful and Rewarded Vulnerability Types
report volumes, and more. today and share your newfound knowledge with your
colleagues and friends.
Here are the highlights:

• The technology world’s mass migration to

the cloud has resulted in increased risks from
vulnerabilities like Server Side Request Forgery.

• Despite the ever-growing attention on

protecting user privacy and data, Information
Disclosure vulnerabilities are still common.

• Less than half of this edition of the HackerOne

Top 10 overlap with the OWASP Top 10.

• Highly impactful vulnerabilities, like SSRF,

IDOR, and Privilege Escalation, are harder to
come by but continue to be the most valuable
vulnerabilities based on bounties awarded.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 13

 Transitioning to Continuous Security

As with anything new, it’s prudent to take a After running a private or time-bound bounty
methodical approach to hacker-powered security. program, you’re ready to open your technology up
As you learn from each step, you’ll be better able to to a continuous public bug bounty program. As we
understand resource constraints and needs. showcased in the 2019 Hacker-Powered Security
Report, Public bug bounty programs represent the
Once you’ve established a VDP, a private, targeted highest hacker diversity and therefore produce
bug bounty program is the next step in the hacker- superior results.
powered security journey. A private program allows
you to further hone and test your internal processes That’s the best part of hacker-powered security:
while limiting the number of hackers involved, the you’re always in control!
volume of incoming reports, and public awareness of
the program. A private program also lets you view the Let’s take a deeper dive into the different types of
potential size and cost of a broader bounty program, bug bounty programs and how HackerOne can help
giving you time to scale your internal teams and you on your journey.
processes to match.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 14

 The Power of More: Time-Bound
Bug Bounty via Hacker-Powered
Pentests
Today’s applications and sites rely on data from more
sources, leverage more packages, deploy on a greater
variety of cloud infrastructure, and serve users on a
larger diversity of devices. For all these reasons, it is vital SAVE TIME, AVOID TROUBLE
to keep an eye on the annual OWASP top ten application
Our developers are frequently
security risks and comparing it to your current and
planned tech stack. blown away by the ingenuity
of the researchers. Using
Injection flaws, improper authentication, and exposing HackerOne saves our security
sensitive data top the most recent OWASP list. Security
team a large amount of time,
teams are wise to also watch for emerging threats like
dangling DNS names and leaked API credentials. but more importantly it also
saves our finance team a lot
Traditional “point-in-time” penetration testing by a small of trouble.
team of researchers is expensive and simply can’t keep
pace with today’s continuous delivery (CD) software
model. Instead, companies are tapping into the global
NEIL MATATALL ,
community of white hat hackers to stay secure while they
SECU RIT Y ENGI NEER , GITH U B
continuously innovate. With HackerOne’s global hacker
community, you benefit from the diversity of skills, “on-
tap” availability, and cost-effectiveness you need. In fact,
HackerOne pentesting customers see up to 600 percent
ROI compared to traditional penetration tests.

For the first time, Forrester breaks down the benefits

using the proven Total Economic Impact methodology.
Based on interviews with multiple HackerOne customers,
Forrester calculates composite savings compared to
traditional penetration testing of more than $500,000 Want to learn more? Download the free
over three years. report from Forrester.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 15

 Crowdsourced Security with
Absolute Confidence, Visibility
and Control
Security and control are essential for highly-regulated
industries, businesses that handle sensitive or personal
data, and government sectors.
SPECIALIZED AND UNIQUE
Since 2016, our Advanced Vetting capabilities have
The carefully selected,
helped HackerOne bring crowdsourced security to
some of the most risk-averse organizations around,
diverse population of
including the U.S. Department of Defense. Whether the HackerOne Clear researchers
organization seeks to protect sensitive national security applied their specialized
data, regulated health or financial data, or simply wish to
and unique skills to give us
satisfy a wary legal department, HackerOne Advanced
Vetting ensures all finders undergo the most intense
a controlled approach to
vetting possible. the crowdsourced security
testing model.
To qualify for Advanced Vetting, finders must
undergo an annual background check and ID
verification, maintain a threshold Reputation score
BRIAN NEELY,
on the HackerOne platform, and be free of any code
CIO AND C SO,
of conduct violations. Advanced Vetting, part of
AMERICAN SYSTEMS
HackerOne Clear, goes beyond ID verification and
criminal background checks to include real-world
validation of finders’ skills based on their performance
in HackerOne programs.

Clear’s Advanced Vetting feature is designed for

organizations that require strict finder verification
capabilities consisting of ID verification, criminal
background checks, and skill validation based on the Want to learn more? Contact us today or visit
finder’s historical performance. us online.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 16

 Do it Live: One Day, Big Benefits
Though this community thrives on the internet, These events increase hacker engagement on
HackerOne also brings hackers together through mature programs, support customer recruiting
live hacking events around the world. Live hacking is efforts, and result in thousands of resolved security
a unique type of bug bounty engagement in which vulnerabilities for the likes of Uber, Dropbox,
hackers from all over the globe fly in to participate in GitHub, Shopify, Verizon Media, U.S. Air Force and
an in-person, timeboxed testing period focusing on a the U.S. Marine Corps. With highly skilled hackers
targeted set of assets. collaborating on the same attack surface, critical
vulnerabilities that could have existed for years
This traditionally includes two weeks leading up to are instead uncovered in days. Recent live hacking
the event, culminating in 2-3 days in a particular events have taken place in San Francisco, London,
city. During those several days, we bring the Amsterdam, Singapore, Las Vegas, and other cities
programs’ security teams and hackers together for around the world.
social activities, sightseeing, knowledge-sharing,
and of course, lots of hacking. Special scopes are We also host hacking workshops for student
released for more compelling testing, companies are groups, structured hacking mentorship sessions
encouraged to provide metadata or unique feature and job recruiting workshops. HackerOne’s first
access for additional research, cash bonuses and live hacking event, h1-702, was in Las Vegas in
bounties are offered, and there’s a leaderboard for August 2016 during DEF CON and spanned three
the event with awards for the top hackers for best days, paying out over $150K to a group of about 30
bug, best signal, highest reputation gain, and the best hackers. Live hacking events have come a long way
hacker of the event (Most Valuable Hacker). since then, improving the structure and experience
for top hackers and customers alike and paying
This gives customers the opportunity to build hackers nearly $1M during a one day event.
relationships with the hacker community in person.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 17

 Build a Nonstop Security Army:
Continuous Bug Bounty Program
Bug bounty programs can be continuous, global, and
comes with nearly limitless skills and experience. A
bug bounty program puts all of these elements to
work improving and hardening your security, all day,
everyday. HackerOne Bounty gives you a flexible
platform to manage, coordinate, and analyze a bug
bounty program designed to fit your unique needs.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 18

 WHERE AND HOW BUG BOUNTIES FIT INTO THE SDLC

1. TRAINING & RISK ASSESSMENT 5. TESTING

Revelations of missing best Dynamic testing (bug bounties can
practices and the subsequent be deployed in sandbox development
gaps and security risks that are environments as well as live in
uneaxrthed through bug bounties production) results in faster and more
present a leading indicator for effective feedback loops.
your next training session for
engineering. 6. DEPLOYMENT
Going beyond testing, bug bounties
2. REQUIREMENTS can have a significant impact on
Bug bounties identify issues process improvement as the “always
that were never found prior and on” feedback from hackers blends
provide valuable input to guide perfectly with rapid deployments
the development requirements to
maintain strong application security. 7. RESPOND
The basis for a good bug bounty
3. DESIGN program, your Vulnerability Disclosure
Bug bounties reveal insecure Policy will drive the conversations
coding practices, and the unknown with hackers, improving your overall
risks associated with a certain security posture.
architecture, design, or code
implementation. This informs
your design and application
architecture approach.

4. DEVELOPMENT
Bug bounties reveal critical
vulnerabilities in your software.
This is the ultimate goal, to make
the unknown issues known and a
fix prioritized before criminals can
exploit them.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 19

 Reduce Risk, Launch Products
Faster, and Strengthen Your
Brand with Hacker-Powered
Security
No matter how you choose to structure your bug • European Union: In the aftermath of the
bounty program, it can be entirely private, blatantly Heartbleed incident, The European Union
public, or anywhere in between. launched EU-FOSSA to take a proactive stance
to strengthen the security of the key open

Private bug bounty programs currently make up 79% source infrastructure it uses. They recently
expanded the program with EU-FOSSA 2 .
of all bug bounty programs on HackerOne, down from
88% in 2017 and 92% in 2016 calendar years. You can
see more statistics and analysis in the 2019 Hacker- The benefits of hacker-powered security are many,
Powered Security Report. from improving on traditional penetration tests
by identifying 10-times the number of critical
No matter how you structure your bug bounty vulnerabilities, to identifying dozens or hundreds
program, you are in good company with organizations of vulnerabilities in a few days, to spending just
like Starbucks, GitHub, Airbnb and many others who a fraction of a security engineer’s salary while
trust HackerOne to be their bug bounty platform. paying only for validated results. Even government
regulators and industry groups are imploring
Featured case studies: organizations to use hacker-powered security,
publish VDPs, and consider bug bounty programs.
• Yelp: Read how Yelp transitioned from a private
bug bounty program to a public bug bounty
program and their learnings and statistics.

• GitHub: Learn how they reduced blind spots and

supplemented their internal teams with hacker-
powered security.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 20

 You may consider launching a program on your own,
but you’ll quickly run into challenges with finding
AUGMENT SECURITY and attracting top hacker talent, integrating reports
into your existing workflow, and paying bounties in
One of the best ways for
various currencies and across international borders.
us to augment our internal Even the largest companies that operate do-it-
security team is to work with yourself bug bounty programs experience very low
the white hat community. signal-to-noise ratios. In a 2016 blog post, Facebook
noted that they received 13,233 vulnerabilities, with
This was a pain before
just 526 of them considered valid. That’s a 4% signal-
HackerOne but now is to-noise ratio.
significantly easier.
Conversely, consider the benefits of working with
a proven platform that’s built a stellar reputation with
TOBIA S LUTKE , the hacker community, and has experience tracking,
SHOPI F Y categorizing, and triaging tens of thousands of
reports. The resulting knowledge built into the
platform benefits all users with faster and more
RE AD TH E BUG BOU NT Y accurate triage and a signal-to-noise ratio of 80%
CASE STU DY or higher. Triage is the process which brings signal up
to 100%.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 21

 HackerOne Delivers
From implementing the basics of a vulnerability of Defense, General Motors, Google, Goldman
disclosure process to supercharging your existing Sachs, PayPal, Hyatt, Twitter, GitHub, Nintendo,
security programs via a bug bounty program, Lufthansa, Microsoft, MINDEF Singapore,
HackerOne has you covered. No matter which Panasonic Avionics, Qualcomm, Starbucks,
program or hacker-powered security choice is right Dropbox, Intel, HackerOne has helped to find
for you, working with HackerOne means you work with over 140,000 vulnerabilities and award over $74M
vetted, trusted hackers. HackerOne provides several in bug bounties to a growing community of over
layers of control for selecting, inviting, and approving 550,000 hackers. HackerOne is headquartered in
hackers based on their Reputation metrics, past San Francisco with offices in London, New York,
program participation, specific skills, and more. the Netherlands, France and Singapore.

HackerOne is the #1 hacker-powered pentest & Do you require strict finder verification
bug bounty platform, helping organizations find capabilities? Download the datasheet to learn
and fix critical vulnerabilities before they can be about HackerOne’s Advanced Vetting.
exploited. More Fortune 500 and Forbes Global
1000 companies trust HackerOne than any other And we can help you, too! Learn more by visiting
hacker-powered security alternative. With over 1,600 our website or contacting us today.
customer programs, including The U.S. Department

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE 22

 About Us
HackerOne is the #1 hacker-powered security platform,
helping organizations find and fix critical vulnerabilities before
they can be exploited. More Fortune 500 and Forbes Global
1000 companies trust HackerOne than any other hacker-
powered security alternative. With over 1,600 customer
programs, including The U.S. Department of Defense,
General Motors, Google, Goldman Sachs, PayPal, Hyatt,
Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF
Singapore, Panasonic Avionics, Qualcomm, Starbucks,
Dropbox, Intel, HackerOne has helped to find over 140,000
vulnerabilities and award over $74M in bug bounties to a
growing community of over 570,000 hackers. HackerOne is
headquartered in San Francisco with offices in London, New
York, the Netherlands, France and Singapore.

Contact us to get started.

THE BEGINNERS’ GUIDE TO BUG BOUNTY PROGRAMS HACKERONE

HACKERONE 23
23