“If I’m a hunter, is this worth my time and effort?”
Rather than overreacting to the “modest” level of hunter activity at the outset of DNV’s Bug Bounty Program (BBP), George Medhurst, who oversees the assurance and risk management specialist’s BBP, took the perspective of an ethical hacker – to impressive effect.
Speaking at our recent ‘Client Success Stories’ event in Stockholm, Medhurst told senior security professionals in the Nordic region how tweaks to the program description and more hunter invites – increased to 80 from an initial 20 – sparked a surge in reports.
Quantity AND quality
And these were generally high-quality reports too, especially from a prolific hunter who the DNV team dubbed ‘Wreck it Ralph’. “How clear he was with his reports, the intelligence behind it”, and so many ways of escalating privileges, said Medhurst – “we laughed at his ingenuity”.
At the time of speaking, Medhurst, DNV’s Head of Program Management and Testing, Digital Solutions, said the pilot program had generated 55 vulnerability reports, of which 24 warranted a payout – collectively totalling €9,000. A great return on investment, Medhurst concluded.
'A lot of handholding'
After a modest beginning, these numbers had been achieved within 18 months of launch, which in turn came only six months after Medhurst became aware (via a pentester) of Bug Bounty. “The concept resonated with me immediately,” he recalled.
Before committing to YesWeHack, concerns about budgetary constraints and securing sign-off from decision-makers were soon allayed by the enthusiasm of DNV’s development team and assurances from YesWeHack – which we subsequently lived up to.
For instance, YesWeHack provided “a lot of handholding and guidance” on assessing scopes and suggested they weren’t attractive enough when incoming bugs began as a trickle.
When reports really started to flow, the triage team worked efficiently to avoid blockages and help developers prioritise the most critical vulnerabilities. “I think it’s world class,” Medhurst said of the in-house triage service. “We’ve shown our technical support teams for software products how they deal with things. We’ve learned a lot – for free.”
Guided by YesWeHack, the vulnerability management process has become increasingly streamlined too, added Medhurst.
Positive feedback loop
DNV, a global brand headquartered in Norway, has derived benefits beyond each remediation’s closure of a single attack vector. They sometimes create automated tests for specific vulnerabilities, for instance.
Supported by an internal ‘security champions’ network, sharing hunters’ findings with developers and pentesters has also made development more secure and improved security testing – in effect creating a positive “feedback loop”, noted Medhurst.
DNV, which is also the world’s largest classification society for the maritime sector, is currently working on strengthening this feedback loop, adding two programs to the existing three and introducing maturity KPIs.
Success factors for the pilot were getting “funding principles in place straightaway, getting buy-in from developers and senior management, and having a strong relationship with the CSM and triage team”, said Medhurst.
In case your program does start strongly – and DNV’s latest BBP began with eight reports on day one – Medhurst advised attendees to “be ready to respond” when you go live.
He also suggested there was more to attracting hunters than offering enticing scopes and bounty grids. “Relationships matter,” said Medhurst, with speed of response, clarity of communication and fairness of rewards pivotal to building trust.
Finally, as we pointed out in a recent article that busts Bug Bounty misconceptions, budgetary constraints needn’t be a dealbreaker when considering whether to launch a BBP. “Don’t worry about running out of budget,” advised Medhurst. “Go with whatever budget you’re willing to invest and you’ll be pleasantly surprised!”
Explore the benefits of a Bug Bounty program for your organisation with our team of experts! Connect with us today learn more.