Cybersecurity is a property of computer systems similar to performance and energy and attackers take a holistic view by attacking any component or interface of system, We should not trust the TCB in order to mitigate the risk of cyber-attacks and should be involved in all the stages during development & deployment cycle.

 

Most of the companies including ecommerce have Bug Bounty Program internally by involving employees across teams and externally by engaging  security researchers . Having an internal bug bounty program, targeted at reducing the number of vulnerabilities that are easy to exploit, is a great mechanism for reducing insider threat .

 

We should plan for Internal program which will save the cost  and  the recent study has found undetected insider threats present in 100 % of business. These threats are not necessarily malicious: developers can inadvertently create problems due to their lack of security knowledge , multiparty computation etc.

 

What is a bug bounty program?

A program where ethical hackers are invited to report security vulnerabilities to organizations, in exchange for monetary rewards for useful submissions. Bug bounties are commonly seen as the most effective and inexpensive way to identify vulnerabilities in live systems and products.

 

Advantages of the program

Having all internal employees on board to search for security bugs within a codebase that they work with on a daily basis is however far easier and brings tremendous benefits. No time is spent beforehand understanding the environment. External penetration tests are expensive and require that testing personnel be well acquainted with the product under evaluation.

 

While participating in the program, employees learn to think about security-related topics and begin to view system functionalities / source code from a different perspective. The opportunity to see the findings of colleagues can inspire others to work harder at unearthing vulnerabilities.

 

Eligibility requirements

To ensure that submissions are fair and relevant, the following eligibility requirements and guidelines apply to all researchers submitting bug reports:

 

  • All bugs must be new discoveries.
  • The researcher submitting the bug must not be the author of the vulnerable code / functionalities.

 

Please find below the criteria for reporting the bugs:-

 

Bugs that are eligible for submission:       Bugs that are not eligible for submission:

  • Authentication bypass                         - Bugs that only affect legacy or unsupported browsers, plugins or operating systems
  • Bugs on yourdomain.com                    -  Bugs on applications that are not operated /managed by us.
  • Bugs on the mobile app                       -  Previously submitted bugs
  • Cross-site request forgery                                                                                                        
  • Cross-site scripting (XSS)
  • Potential for information disclosure
  • Remote code execution

 

 

Rewards:- Healthy competition is then created in which all participants work to receive the monetary rewards.

 

Security needs to stop being an afterthought of the production line.