Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
3. Bug Bounty Program
/’bƏg ˈbau̇ n-tē ˈprō-ˌgram /
A program where ethical hackers are invited to
report security vulnerabilities to organizations,
in exchange for monetary rewards for useful
submissions. Bug bounties are commonly seen as
the most effective and inexpensive way to identify
vulnerabilities in live systems and products.
HACKERONE
4. HACKERONE
STEP ONE: DEFINE YOUR SCOPE
Create your own security program page with instructions for
hackers: what targets are in scope, what types of findings are
eligible, what types are not, what rewards you will be paying, what
behaviors are acceptable, and what the ideal vulnerability report
should look like. Start with HackerOne’s template, ask for help if
you want it, modify as needed.
5. BOUNTY PROGRAM SCOPE
We are interested in any vulnerability that could
negatively affect the security of our users.
OUR BOUNTIES
$100
Minimum Bounty
$500
Average Bounty
$10,000
Max Bounty
IN-SCOPE VULNERABILITIES
• Cross-Site Scripting
• Cross-Site Request Forgery
• Server-Side Request Forgery
• SQL Injection
• SS Remote Code Execution
• XML External Entity Attacks
IN-SCOPE PROPERTIES
• api.CompanyA.com
• bonjour.CompanyA.com
• business.CompanyA.com
• cn-cfe1.CompanyA.com
• cn-dc1.CompanyA.com
• cn-dc2.CompanyA.com
COMPANY A
https://hackerone.com/yourprogram
$
500
AVERAGE
6. HACKERONE
HOW DO I DECIDE HOW MUCH TO OFFER HACKERS?
Set bug bounty awards by technical classification of the bug and
severity of its possible impact. We recommend a minimum of $100.
The average is around $500 and the current record is $50,000. To
get attention from the world’s best hackers, pay more than the
platform average. See our full list of programs here to see how
customers have defined their bounty programs:
8. HACKERONE
WHO ARE THE HACKERS?
Hackers hail from around the world. The reason they hack is varied,
but most hack because they love the challenge, want to do good in
the world, and of course, to make money. More than 80,000 hackers
from 70+ countries are registered to hack on HackerOne and this
number grows daily. For your program, you can invite hackers based
upon reputation score, identify certain signal requirements, and even
search by vetted skills (such as expertise in native applications, mobile
applications, hardware/iOT, and web applications).
9. WHY DO THEY HACK?
HACKERS
ARE FROM
70+COUNTRIES
YEARS HACKING
71.5 %
TO MAKE MONEY
65.9 %
TO BE CHALLENGED
70.5 %
TO HAVE FUN
64.3 %
TO BUILD
MY RESUME
50.8 %
TO DO GOOD
IN THE WORLD
15.8% 14.3% 17% 11.3% 12%
1 2 3 4 5
10. HACKERONE
HOW SOON DO I GET BUGS REPORTED?
In the first day, expect 4 serious, non-duplicate vulnerability
reports. The average customer targets 10 to find in the
first 2 weeks – you can target more if you like. Ask about
HackerOne’s Fully-Managed Program if you need help with
triaging inbound reports.
12. HACKERONE
HOW DO HACKERS GET PAID FOR VALID REPORTS?
For valid bugs, HackerOne handles the paperwork and payment
to a hacker anywhere in the world. Forget about international
financial compliance, tax obligations, and other payment
headaches – just leave it to us. We’ve paid hackers from 40 U.S.
states and more than 80 countries.
14. HACKERONE
HOW DO WE KNOW THE BUG BOUNTY PROGRAM
HAS BEEN SUCCESSFUL?
When you receive valid submissions, you know that your
program is working. The sooner your engineering team
can fix the bugs found, the more secure your system
will be. You can use this information and the analytics
provided by the HackerOne platform to identify and
improve areas in your software development life cycle
that seem to be causing the most vulnerabilities.
HACKERONE
15. HACKERONE
Over time, your software becomes
more secure and the number of valid
submissions will slowly decline. When you
deploy new software, you may want to
offer new bounties to encourage repeat
hackers to spend their time on you again.
Stored XSS
in subdomain
Read files
lead to RCE
Private email
server compromised
at your.site.com
16. HACKERONE
ALWAYS BE IN THE KNOW WITH HACKERONE
PLATFORM ANALYTICS
HackerOne offers all accounts access to a Standard Dashboard
to monitor team stats in real-time and stay on top of response
time, stale issues, pending disclosures and more. Other, more
advanced tools customers love include:
17. HACKERONE
API Reports Sync your data with your internal data analysis tools.
HackerOne Success Index Compare your security posture against
other organizations of comparable size on key benchmark metrics.
Advanced Analytics Query more advanced reports to track metrics
measuring your program’s ROI.
Custom Analytics Work with our data science experts to fulfill
your custom reporting requirements.
18. HACKERONE
HackerOne is the no.1 hacker-powered security provider, connecting
organizations with the world’s largest community of trusted hackers. More
than 800 organizations, including The U.S. Department of Defense,
General Motors, Intel, Uber, Twitter, GitHub, Nintendo, Lufthansa,
Panasonic Avionics, Qualcomm, Square, Starbucks, and the CERT
Coordination Center trust HackerOne to find critical software vulnerabilities
before criminals can exploit them. HackerOne customers have resolved
more than 50,000 vulnerabilities and awarded more than $18M in bug
bounties. HackerOne is headquartered in San Francisco with offices in
London, Seattle, Los Angeles and the Netherlands.
For the most exhaustive list of live bug bounty programs, visit https://hackerone.com/bug-bounty-programs