Читать книгу Corporate Cybersecurity - John Jackson - Страница 56

Bug bounty programs are an amazing security tool. A good program can provide valuable insight and help enterprises continuously test their assets. It’s important to note that the effectiveness of a program can only be as good as the program manager who configures it. Future program managers should identify telltale signs that their organization may not be ready to start a bug bounty program. As already stated, close communication between the various teams and a precise definition of expectations are essential when setting up a bug bounty program.

Going through the various risk assessment and information gathering processes to define the enterprise security stance is not an option: it’s a requirement. Enterprises cannot build a house without a foundation, and avoiding any advance risk-assessment exercises will undoubtedly result in the shoddiest of bug bounty programs. While a bug bounty program can be a useful way to identify vulnerabilities, it isn’t the be all and end all, and engineers or managers who go through the process of attempting to set up a program without first evaluating the other aspects of security might burn their enterprise. Recovering is possible, but it would be better to carefully prepare and evaluate security gaps before launching a program. Even a limited bug bounty program can result in frustrated security researchers if communication gaps are not filled in before inviting researchers to participate in a program.