A few weeks ago we launched our security bounty program. This was a great decision and we should have done it earlier. Over the last few weeks, we learned some key lessons.
Money well invested
Our program rewards researchers depending on what they find. Not on how much time they spend. Since the start, we awarded $2050. We try to give reward honestly depending on the potential impact of the exploit.
Researchers have been quite pleased with those amounts. For us, this remains a lot cheaper than a conventional security audit. And of course, you only pay when something is found.
Precisely describe what you’re looking for
Security researchers are sure to get frustrated if you don’t define precisely what you expect. In our case, we value a lot user experience and try to avoid friction when we can. For example, this means that sessions on our website don’t expire. If we were a bank, this would be a big mistake, but I believe it is a compromise we’re right to make.
Precisely describing what exploit are interesting also boost motivation as you’ll, of course, be proving larger bounties.
Be ready to change your mind
I also end my emails to security researchers by asking them I’m fine being proven wrong. This is important since a significant number of reports don’t lead to a reward. Sometimes your team can get it wrong and miss a real exploit.
Be quick and precise
Out of respect to researchers, it’s important to respond quickly to inquiries. Even if it is only to say you’re working on it. In some rare instances, there might be a disagreement on the risk posed by a vulnerability. Sharing why you believe a bug poses or not a threat is crucial to maintaining a good relationship with security.
Pay quickly and be publicly grateful
PayPal payments are easy to do. Do them within minutes. Ask for a name and backlink to display on your website. This doesn’t cost you anything but is always nice for researchers.
Want to participate in our Security Bounty Program? Give it a try!