What Is Bug Bounty?

Cybercrimes and hacking incidents have increased by epidemic proportions in the last few years forcing security professionals to put more emphasis on the importance of locating vulnerabilities. In order to provide secure applications, developers are constantly scanning their code to enhance code integrity in the early development stages.

 

This is where bug bounty programs come into play. A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exposures through exploits and vulnerabilities.

 

Safaricom, a leading telecommunication service provider in Kenya, has launched its bug bounty program to the members of the public whose task will be to hunt for bugs on the Safaricom Systems.  This was announced in the recently concluded Africahackon conference.

 

For one to enroll for the program, here are the steps to be followed,

  1. Send your full name, Email address and CV to [email protected]
  2. You will get an invite to register to the Safaricom Bug bounty platform. Follow the instruction on the invite to register and go through the access approval process
  3. Read the policy/guidelines and review the scope provided
  4. Research and submit your reports as per the provided guidelines (NB: There will be a specific scope, invites and timeline)
  5. Your report will first be triaged by the Hackerone team and if valid will be forwarded to Safaricom for further review and confirmation
  6. If confirmed as valid, you will be paid your bounty within 30days depending on the severity of the bug

According to Safaricom, the rewards will be based on the severity of the bug within a scale of 0.1-10 as below.

Critical (9.0-10)    -$2000

High (7.0-8.9)     -$1000

Medium (4.0-6.9) – $500

Low (0.1-3.9) –   $150

Safaricom joins other organization such as Google, Facebook, Apple, PayPal and Pentagon that has enrolled the bug bounty program. Other companies with similar program in Africa are OLX in South Africa.

 

Facebook has been using its own bounty program for over 5 years and Since Facebook launched its own bug bounty program, 900 ethical hackers have been rewarded with more than $ 5 million. Google rewards the individual security flaws discovered by ethical hackers with $ 100 to $ 20,000, with PayPal, any security mistakes found goes for between $ 50 to $ 10,000. The company appreciates the most vulnerabilities connected with the leakage of sensitive data of its users. See a complete list of bug bounty program from Hacker One https://hackerone.com/bug-bounty-programs

 

What you need to know before you launch a Bug Bounty Program

 

Before launching a bug bounty program to the public consider the following,

Defining bug bounty goals:

Once you’re set and determined to set up a bug bounty program, you need to decide on your goals and what you want to achieve during the program. You also need to have the ability to:

  • Validate the Hacker
  • Have clear guidelines for submitting Vulnerabilities
  • Define a responsible behavior of a Hacker
  • Validate the Vulnerabilities
  • Have clear compensation program
  • Have a clear policy on when/how a vulnerability will be publicly disclosed

Implement a vulnerability management process:

Ensure you have a well Established Vulnerability Management Process to respond and fix the bug on time.

 

Secure Your System

By enrolling on the bug bounty program you are essentially bringing “hackers” on board and so others may leverage this opportunity to do a malicious activity without reporting the bug to the organization. Therefore, ensure that you have proper security controls in your system.

 

Should companies take up the bug bounty program?

The need for companies to detect the vulnerabilities in their system has become a reality, and a Bug Bounty is the best way to achieve that provided that it is done in a clear and procedural way.

However, for those who feel less comfortable implementing their own program, there are business partners out there such as Hackerone, Bugcrowd, and HackerHive who are ready to help you take advantage of a white-hat community that consistently outperforms technology when it comes to discovering vulnerabilities.

Therefore, whether you use these third parties or set out on your own to create a bounty program, make sure you have clear policies and reporting procedures in place to avoid conflicts with hackers and to give your business a clear process for dealing with vulnerability reports.