style="font-size:15px;"> 208 193209 194
210 195
211 196
212 197
213 198
214 199
215 200
Foreword
It’s safe to say that information security and the industry surrounding it has exploded into a massive, constantly growing sector around the world. Like many other professions within technology, the main attribute which has secured many organizations success (or failure) in maintaining their relevance has been their ability to adapt. In the case of security, we are constantly adapting to methods used by malicious actors with the hopes of becoming as secure as possible – with the goal of identifying (and remediating) vulnerabilities prior to an attack.
As security professionals we understand that it isn’t a matter of if an event happens, but when. Although nothing can be completely secure, it’s our job to work towards obtaining a level of maturity within our security programs that are proactive against potential threats. Although zero days will always exist, it’s our job to stay up to date and as protected as possible, which can be very costly, especially for many organizations that don’t fully understand security and (in many situations) are hesitant to move forward with a proper budget for what is needed to enable adequate professionally accepted levels of protection.
Information security, or cybersecurity, is still in its infancy. This may be a shocking statement to someone who doesn’t work within the industry; it is, however, accurate. Only recently have many universities begun offering degrees in the field of cybersecurity. Many pieces of software that would be considered a “must have” for a company’s defense in depth weren’t in existence just a couple of short years ago.
Many professionals in the industry have moved to their positions as security specialists after previously working in general information technology. I have worked with many organizations, in both the private and the public sectors, and at this point in time, from what I’ve witnessed, a very small fraction of security professionals have been formally educated in security, and rely heavily on certifications to prove their understanding of the field. This is a blessing for those who need to obtain credentials quickly without the slow drag of the many years of college, but also is a curse for those with certifications but little real world experience. An overwhelming number of professionals are learning on the job, which can be daunting given the fact that many organizations are looking to increase their maturity as quickly as possible.
There are many gears turning in a proper security program. There’s an overall lack of understanding of security by those outside of the security team, so one of the most prominent procedures by security professionals is to understand how to assign tasks to thelimited resources they have while properly managing a security program that grows in maturity on a constant basis. All in a world where new vulnerabilities can be found daily.
It’s no secret that software security and web application security are fast-growing segments within the field of cybersecurity. Every organization has a web presence. Every organization uses software. Individuals also use software and web applications in their daily lives, assets which hold personally identifiable information, and whose contents can greatly range in sensitivity.
Although identifying vulnerabilities through continuous testing is a powerful activity, many organizations don’t have the resources or budget to consider it as an option. In search for a remedy to this situation, I have seen many explore the option of creating or joining a bug bounty program, albeit reasons for considering such a program are not limited to such issues. This can clearly be seen in large organizations’ involvement with their own bug bounty programs. It’s quickly becoming a standard for many large companies to have a bug bounty program, either in house or through a third party.
Bug bounty programs may be new, but they have caught on quickly with proactive organizations seeking to be more secure. It was only in 2013 (less than a decade as of this writing) that Katie Moussouris created Microsoft’s first bug bounty program. In March 2016, Moussouris would also be involved with the creation of the Department of Defense’s “Hack the Pentagon” pilot program, which would serve as the United States Federal Government’s first bug bounty program. Bug bounty programs have gained in popularity due to their benefits greatly outweighing their negatives, many of which are explained clearly within this book, which at the time of writing is geared to be the first wide-release publication on how to create and manage a bug bounty program.
This book is a critical asset for security professionals who seek to understand how to build and operate a bug bounty program. Security professionals can use this book as a guide for the creation of their own bug bounty program. Professionals across all domains of security can use this book to quickly absorb the years of information acquired by real world experience to understand the subject and provide more value to their team.
Robert (@rej_ex) Willis
Acknowledgments
There are far too many influential people in my career to mention in this section. I’m thankful for all of the information security individuals who have let me learn alongside them, given me opportunities, and have put my skills to the test. I’ve learned many lessons along the way.
A special thank-you to my friend Christian Bobadilla is in order. Christian is one of the most talented application security experts I know, and his humility keeps him out of the information security limelight. Through me, your excellent advice and mentoring lives. If it weren’t for you, I wouldn’t know even a quarter of what I do about bug bounty programs. Thank you for being a positive role model in my life. It’s exceedingly difficult to find people who are not only intellectually sharp and humble but also incredible leaders. This book is dedicated to the faith that you have put in my abilities.
One final dedication: to my father, who encouraged me to try my best at all times. Rest in peace.
1 The Evolution of Bug Bounty Programs
1.1 Making History
Understanding the evolution of bug bounty programs first requires familiarity with the hacking landscape, or as many in the information security field know it, penetration testing. Security researchers haven’t always been respected or given the opportunity to shine. Throughout history, hacking has been a word that scares the public and creates waves of fear inside a company when rumors of a “hack” spread. The first bounty paid for breaking into something (in recorded history) was in 1851. Charles Alfred Hobbs was paid roughly the equivalent of $20,000 to pick a physical lock. (https://www.itspmagazine.com/itsp-chronicles/history-and-interesting-facts-about-bug-bounties-an-appsec-usa-2017-panel-recap).
The first actual bounty program was run by Netscape and it began in 1995. The primary scope was application testing for Netscape Navigator 2.0., their primary product. Slowly, other enterprises started to adapt their own bug bounty programs and offer awards. Bug bounty crowdsourcing platforms introduced the new wave, compiling enterprise programs into a neat catalogue in which security researchers could hop into various programs and begin to participate. Bugcrowd was known
