[BBFM] - Project Plan
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEF
1
This project plan helps your Bug Bounty Leader (BBL) and Bug Bounty Team (BBT) plan, launch, and operate a successful bug bounty program.
2
ItemOwnerTarget DateStatusCommentsLinks
3
Phase 1 - Assessment
4
Assess organizational readiness
5
Perform assessment to determine which type of program will best suit you
6
7
Phase 2 - Preparation
8
Allocate Resources
9
Choose your Bug Bounty Leader
10
Identify your Bug Bounty Team members
11
Setup a weekly "on duty" bug bounty rotation (e.g. add recurring calendar entries, or setup in whichever on-duty tooling you normally use)
12
13
Vulnerability Management
14
Ensure your VM process has severities + associated expected remediation timelines
15
Figure out how the new stream of bugs from your program will plug into your existing VM process
16
17
Determine your bounty process
18
Create a bounty structure/table (how much will you pay for different severity issues? etc.)
19
Determine *when* you will pay bounties (recommended: at time of validation of the issue)
20
Determine *how* you will pay bounties (on-duty has power to make decision and pay out bounty? everyone votes ahead of time on each report, then have a weekly meeting to discuss and make final decisions? etc.)
21
Determine your bug bounty budget and get it approved
22
23
Determine your SLAs (Service Level Agreements)
24
Determine your SLA for first response
25
Determine your SLA for time to bounty
26
Determine your SLA for time to remediation (based on severity)
27
28
Craft your security pageUse this blog as guidance
29
Define your scope (both "in" and "out" of scope - start small!)
30
Add your SLAs to your security page
31
Add any eligibility/out-of-scope vulnerability requirements
32
Add an email address or other way for hackers to contact you out of band in case they have questions on scope, rules, etc. (add a note that this contact method is NOT meant for reporting vulnerabilities)
33
Share security page draft with relevant stakeholders for feedback
34
Incorporate feedback and finalize security page on HackerOne
35
36
Phase 3 - Champion Internally
37
Prepare to be a champion!Refer to these slides for addressing common concerns around bug bounty programs
38
Setup an avenue for receiving feedback/questions/etc. on your new bug bounty program (e.g. an email alias, Google Form, etc.; whatever works best for your organization)
39
Identify internal "marketing material" for your bug bounty program that you'll leverage when championing for it with various teams
40
Prepare for running multiple "AMA" (ask me anything) sessions with various teams, where you can briefly present on what a "bug bounty program" is, why it's awesome, and then allow time to answer any questions/concerns people haveDepending on the size of your organization, you may be able to combine AMAs across multiple teams
41
Create a "bug bounty FAQ" with common questions and answers around your new bug bounty program
42
43
Champion for your program with your security team
44
Send an email to security team bringing up the bug bounty program, including fodder on why it's a great idea, link to your FAQ, link to your avenue for feedback/questions, and announce your "security team bug bounty AMA (ask me anything)"
45
Setup and run an "AMA" with security team to discuss the idea and answer any questions/concerns they have
46
Record any feedback/questions and send a follow-up email ensuring they are addressed, as well as update your FAQ
47
48
Champion for your program with your engineering team
49
Send an email to your engineering team bringing up the bug bounty program, including fodder on why it's a great idea, link to your FAQ, link to your avenue for feedback/questions, and announce your "eng bug bounty AMA"
50
Setup and run an "AMA" with engineering to discuss the idea and answer any questions/concerns they have
51
Record any feedback/questions and send a follow-up email ensuring they are addressed, as well as update your FAQ
52
53
Champion for your program with your finance team
54
Send an email to your finance team bringing up the bug bounty program, including fodder on why it's a great idea, link to your FAQ, link to your avenue for feedback/questions, and announce your "finance bug bounty AMA"
55
Setup and run an "AMA" with finance to discuss the idea and answer any questions/concerns they have
56
Record any feedback/questions and send a follow-up email ensuring they are addressed, as well as update your FAQ
57
58
Champion for your program with your legal team
59
Send an email to your legal team bringing up the bug bounty program, including fodder on why it's a great idea, link to your FAQ, link to your avenue for feedback/questions, and announce your "legal bug bounty AMA"
60
Setup and run an "AMA" with finance to discuss the idea and answer any questions/concerns they have
61
Record any feedback/questions and send a follow-up email ensuring they are addressed, as well as update your FAQ
62
63
Champion for your program with your PR/marketing team
64
Send an email to your PR/marketing team bringing up the bug bounty program, including fodder on why it's a great idea, link to your FAQ, link to your avenue for feedback/questions, and announce your "legal bug bounty AMA"
65
Setup and run an "AMA" with PR/marketing to discuss the idea and answer any questions/concerns they have
66
Record any feedback/questions and send a follow-up email ensuring they are addressed, as well as update your FAQ
67
68
Phase 4 - Launch
69
Prepare for takeoff
70
Perform one last spot check on your security page (if you have a HackerOne Customer Success Manager, check with them for help)
71
Ensure you are all set to pay bounties (either add a credit card to your HackerOne account, or have prepayment processed; see support article in Links column)
https://support.hackerone.com/hc/en-us/articles/205624645-How-does-HackerOne-pay-the-hacker-
72
Invite 5 hackers to start assessing your in-scope assets (see support article in Links column)
https://support.hackerone.com/hc/en-us/articles/205624995-How-do-we-invite-hackers-to-our-program-
73
Make sure you have 1-3 people on deck for the week you launch to handle incoming reports; usually a large spike at the start of your program
74
75
Nail down the first couple of weeks
76
Triage initial wave of reports
77
Receive (and ask for!) feedback from hackers, incorporate this feedback into your program and security page
78
Receive (and ask for!) feedback from internal stakeholders on your bug bounty program processes, incorporate this feedback
79
After the first two weeks, have a meeting to discuss what's going well, what's going poorly, what you'd like to adjust, etc., with your bug bounty team and any other key stakeholders
80
81
Phase 5 - The Post Bounty Era
82
Scale your program
83
Review the reports you've received thus far and determine what your goals are for scaling your program (more bugs? more bugs in a specific scope? more critical bugs and less low severity bugs? etc.)
84
Based on your goals, determine how you will scale your program (more hackers? additional scope? running a time-boxed promotion/contest? conducting a live hacking event with HackerOne? etc.)
85
Flesh out tasks in this plan based on the plan of attack you choose to scale your program
86
87
Review your vulnerability management processes
88
Do a health check on vulnerability management for bugs coming in via your program; what are remediation timelines looking like? Are there any issues or inefficiencies in your vulnerability management process? (refer to BBFM Ch. 5.2 for ideas on what to look for in this health check)
89
Based on your health check, identify specific action items/improvements and outline them as tasks in this plan
90
91
Leverage your bug bounty data / root cause analysis
92
Establish a process for root cause analysis on bugs that flow in via your program (how was the bug introduced? are there other similar issues you can automatically identify in your codebase?)
93
Review your bug bounty data for common trends that indicate failures in your security processes (e.g. are you seeing a large majority of one vuln type on a particular scope? why is that? are developers of that scope in need of additional security training, or perhaps aren't using escaping libraries that can help prevent these vulns from popping up? etc.)
94
Flesh out tasks in this plan for follow-up items to improve your SDLC and security processes based on the common problems you identify from the above research
95
Loading...
Main menu