Running an Internal Bug Bounty Program
While SevHunt gives you the best platform for running an Internal Bug Bounty, your program will need your care and attention to actually be successful.
This document will take you through a few key points of operating a killer program!
Craft incentivizes the whole company craves
While hunting for bugs is fun in its own right, your employees are probably engaging with your program to get rewards. Knowing what rewards are going to entice people the most is largely dependant on your company's culture, but here is some guidance from developing swag ourselves:
Your products should not feel like another round of company merch
If you already have merch, it might be tempting to slap your logo on a higher quality product and call it a day - that might work for some employees, but you can do better!
Your products should feel exclusive, your employees should view them more like trophies than "expensive goods".
Think of a merch booth at a live concert: you're not buying the band's t-shirt because of the quality, you're buying it because you love the band, the show, the shirt, the context of that purchase means more than the product itself.
To get less philosophical, put in some effort and make something people will be proud to show off!
Make something everyone wants, not just engineering
For most companies using SevHunt, engineering is kind of the clear audience for "bug hunters".
However, if you only target them you're going to miss out on so many "bugs" that exist outside of your code. If you want to hear about shared credentials, privacy violations, and rogue SaaS, you have to expand your scope!
So, when you develop your product lineup, think of a wider audience. Everyone loves a hat, not everyone loves a cyberdeck (although you can always offer both).
Don't be afraid to spend
The economics of running an Internal Bug Bounty are interesting - in a external program you may have a payout table like:
| Severity | Reward |
|---|---|
| Low | $250 |
| Medium | $500 |
| High | $2,000 |
| Critical | $8,000 |
Now think about your rewards - if your most expensive item is $200 a unit, you're operating at 20%-4000% less spend per report.
We're not saying your Store in SevHunt has to mimic your external payouts, but you should consider raising the quality bar for the products you offer.
Avoid purely decorative paper weights
Usability is a big part of making desirable merch. There's only so much desk space for your employees, and unless you're offering one heck of a ceramic cat your swag should probably have a purpose.
Clothing is a clear winner here, but kitchenware, home office equipment, sporting goods, and pet toys are also nicely repeatable purchases.
Work with local artists
There are a lot of talented people in your city who would love the opportunity to make something for you, and it doesn't really get more exclusive and desirable than "hand made". If you're not sure where to start, ask an artist! If there's not a weekly market in your area, there's likely a Facebook group you can pop into.
Set practical (point) pricing
The pricing in your store is surprisingly important. In SevHunt you can set a default point award per severity, for example "Low" may get 200 points, but "Critical" gets 2000 points.
In that example, your items should cost at least 200 points, and probably should come in multiples that evenly divide into your point awards (ex: multiples of 100).
By pricing items too low, you run the risk of employees buying up the whole store with only a few reports.
By pricing items too high, you may end up never giving away your most valuable merch.
So - consider your pricing carefully as you build out your store. If things don't feel right you can always adjust amounts after you launch your program too.
Guide employees with example reports and hunting tips
If running an Internal Bug Bounty program feels new to you, imagine how it feels for your employees. Without good guidance, you're not going to see people engaging with the program unless they're very self-motivated.
In SevHunt you can add documentation to your organization homepage's "Hunting Tips" tab. Hunting tips should include information about testing environments, rules of engagement, and example valid reports. It doesn't have to feel as exhaustive as an external program policy, but it should make your expectations for reports clear.
Advertise the program internally
Most of your employees aren't going to login to SevHunt naturally, so you'll need to get them reporting by advertising in company-wide meetings, chat, email newsletters, and everywhere else "the people" are.
This can feel a little daunting, and there's probably a point of fatigue that comes with posting too much, but here's some ideas for ways to advertise well:
Have a schedule for new product (reward) launches
Launching new rewards can help re-engage previous researchers, and it gives you an excuse to post about the program to your company.
Present findings and disclose your most severe reports
Just because someone isn't engaged with SevHunt doesn't mean they're not interested in the bug bounty - if you get a really interesting/severe finding, consider highlighting it in a company meeting or writing an internal blog post about it.
Have your top reporters advocate for you
Word of mouth is powerful - instead of doing all the legwork yourself, your reporters can advertise the program via write ups, presentations, or bragging about their merch in chat.
Conclusion
You don't have to do everything above to be successful, but you will have to put some effort in to keep your employees engaged. Good luck out there and please contact us if you need more advice!