6

I work for a B2B SaaS startup that doesn't have a lot of money (we're 6 people, 2 developers, have about 6 months of runway, and $25K monthly revenue, < 50 customers).

Common advice that I've seen for small companies/startups is to "do enough" for security (a balance of risk/reward). For us, however, it's at the forefront of our thinking when we're writing code (e.g. we include a security review as an explicit step in our code merge review process, we only use prepared SQL statements, etc.).

Recently a security researcher contacted us about a few vulnerabilities. I told them we don't have an official bounty program, but we're willing to compensate. I said that Slack's program could be a guide of how we could pay (it really depends on the issue and the impact/risk to our business).

The first reported issue was a CSRF attack that could allow a victim to accidentally add the attacker to their account and get full admin access to the victim's account. This was POC since it needs a little bit of work to exploit. We believed that if exploited, it could expose all users of our user's data. Even though it was POC, it could potentially destroy our business. We rewarded them $500 as well as mailed some swag. When we went to pay them, they requested $550 because of PayPal fees. I told them that if we were listed on a site like HackerOne, PayPal still takes out fees regardless of the amount.

They reported an issue for an IDOR attack that could allow any authenticated attacker to "disable" any user in our application. Disabling a user in our application just sets a flag that they can't log in. This attack doesn't disclose any information, and is easily reversible. Right now, we believe that the actual business impact/risk is very low (since it can be reversed and doesn't expose customer data). We fixed this vulnerability immediately. The security researcher was very pushy with their expected reward in their initial report. They quoted $15000 for an IDOR attack on Uber, and $1500 from Slack. I responded and said we're going to internally discuss the reward because we feel the impact is low. They sent a response saying how critical this issue is and how it can cause havoc on our business. English isn't this person's first language (and the reports are dramatic/low quality in terms of communication), but I've cut through that and only focused on the business impact (not the report/reporter).

We want to encourage vulnerability reports and we want to reward/compensate reporters with market rates. However, we don't have a lot of money since we're a startup without any investment. I'm having a large internal struggle of compensating for vulnerabilities vs being out of jobs because our money is going to payouts for vulnerabilities. We don't want to pay nothing, but we want to encourage white hat reports.

Right now, I'm in the mindset of "pay what we feel it's worth for risk/impact of the business". For the second vulnerability, we discussed to be worth $150. When we sent a response with our amount, they've tried to haggle us to $500, and $300 claiming it's unfair.

What advice would you give a small company for creating/maintaining a bug bounty program?

flerb
  • 450
  • 2
  • 14
  • Perhaps you should enable a program for casual researcher, prepare your program under an isolated environment for pen-testing. – mootmoot Jul 10 '17 at 15:09
  • @mootmoot Sure. But how does that help with the pushy behavior of this person and paying out rewards when we don't have a lot of money. – Startup Security Jul 10 '17 at 15:38
  • 1
    The pushy behaviour is sounding more like racketeering to be honest. I would set in your terms and conditions what your policy is on vulnerability disclosure. In there you should cap a maximum you are willing to pay out on any. If the pen tester then preceeds to demand money that is over this limit you can indeed claim they broke your terms and conditions of use and potentially commited an illegal act. Don't get me wrong I think disclosing vulnerabilities to companies is a great thing, but there has to be some control on this. – ISMSDEV Jul 10 '17 at 15:43
  • 1
    @ISMSDEV We considered it racketeering too... it feels very hostile right now. We've stayed firm with paying $150. We never *had* a policy about a vulnerability disclosure program (but it's something we're looking to add now). I'm all for setting up the rules for a program... but it's sort of weird because we don't have official rules in place. The good news is that we have this person's full name, mobile number, and address... so if they go rogue we can *try* to report them. But, emotionally it's still very uneasy for me. I've never had to deal with something like this. – Startup Security Jul 10 '17 at 15:49
  • 3
    Not sure why this question got a close vote as off-topic. Rather, it seems to be the first time the `[bug-bounty]` tag is actually used correctly. – Arminius Jul 10 '17 at 17:29
  • 1
    I disagree with this question being put on hold. The general question is how a small company can deal with a bug bounty program and I provided contextual background information. – Startup Security Jul 10 '17 at 19:18
  • According to what's [on topic](https://security.stackexchange.com/help/on-topic) here, this includes **incident response**, **policies**, **risk management**. What about this question can be improved to ensure answers aren't primarily opinion-based? This question is asking for [security best practices](https://security.stackexchange.com/search?q=best+practice) for a small company. – Startup Security Jul 10 '17 at 19:32
  • 3
    @StartupSecurity SecuritySE is pretty sensitive about questions that seem like they can't be answered definitively. I personally like the question. Maybe instead of asking about "how should a startup...", you could rephrase it along the lines of "what are possible/established ways to...", "how do others solve this", "what are advantages and disadvantages of...", etc. Not sure if that will be successful, though. You might want to raise the issue on meta, too. – Arminius Jul 10 '17 at 19:47
  • 2
    You consider 'loss of all user data' very valuable, and 'accounts being disabled' as much less valuable, but looking around at response to real world incidents it feels like "*I can't login / the service doesn't work*" is an enormous problem for people and makes people leave services, but "*my data was leaked*" is effectively a non-issue, and they probably won't ever even find out it happened. "*we feel the impact is low*" - realistically, which one will cause more support calls? More complaints? All your users can't login, or you send a 'newsletter' about a breach .. which they don't read? – TessellatingHeckler Jul 10 '17 at 19:47
  • Have you considered hiring a security expert to review your security and code? – zaph Jul 10 '17 at 19:52
  • @TessellatingHeckler The short-term impact of not being able to log in will of course generate lots of support calls. But it's a problem that has a similar problem for our small business as a DOS attack. However, our customers, which are businesses that post internal company information to our service, definitely care about their data more than users not being able to use the service. We're a small company. If we had a data breach at this age of our company it would most likely kill our business. Also, we're still very new to this; we're learning. – Startup Security Jul 10 '17 at 19:58
  • 1
    @zaph We have considered hiring a security expert. We're still not sure it's worth the huge cost right now. It's one of those things that we'll do when we can afford it as a small business. For now, we use [Detectify](https://detectify.com/) and, as much as possible, hack ourselves during our merge requests. Big companies have it much easier because they can relatively easily spend money which we just don't have. – Startup Security Jul 10 '17 at 20:07
  • 1. Well, you know how to value your business. 2. It is not necessarily a huge cost. 3. Have you told your users that you have exploits and have have not had your code vetted by a security expert? 4. In the current issue of "Communication of the ACM" [Vint Cerf](https://en.wikipedia.org/wiki/Vint_Cerf) (you may have heard of him) writes and mentions "ethical responsibility", that seems to fit this decision. You know what the right thing to do is: [Just Do It](https://www.youtube.com/watch?v=ZXsQAXx_ao0). – zaph Jul 10 '17 at 20:23
  • Besides bugcrowd as mentioned by @Jogn Deters, you should also look into VPN for B2B. – mootmoot Jul 11 '17 at 06:58

1 Answers1

4

It may not help with your current situation, but consider registering with someone like bugcrowd and posting your reward range. If someone contacts you asking for something over and above your posted range, politely redirect them to your bounty page and let them know that's all you can afford.

Legitimate researchers will look at your site and decide whether or not your rewards are worth their time. Smaller rewards may mean less experienced testers will gravitate towards your site; but this way nobody will be surprised.

John Deters
  • 33,650
  • 3
  • 57
  • 110