Bug Bounty Program Recommendation

You work for a company that designs and markets internet-connected devices. With less than 100 employees and $500 million in revenue per year, the company is relatively small, but it is agile and growing quickly. Five years ago, the company introduced its first product: an internet-connected baby monitor. When the camera is switched on, the video feed is transmitted to cloud computing servers that are leased by the company. Consumers can login to this feed using the company’s smart phone and tablet app to view the live video feed. They can also access up to three days’ worth of stored video from the servers. The baby monitor is sold exclusively on the company’s retail website, which collects and processes payments for product purchases. Like any other company of this kind, your company also collects and stores some information about its customers and their use of the baby monitor for marketing and product-development purposes.
While sitting in a meeting about the company’s future product pipeline, one of the product engineers asks the executive team, “Now that we have so many new internet-connected products planned in the future, is it time for us to create a ‘bug bounty’ program?”
The CEO replies, “That’s an interesting idea. Let’s give it some thought.”
Immediately following the meeting, the CEO emails you, “Can you write a memo explaining why we might want a bug bounty program? Also, how would we implement such a thing?”
Assignment: Drawing from the narrative above and prior course materials and discussions, conduct some internet-based research on bug bounty programs and draft a 4-5 page memo for the CEO. Assume the CEO does not have any prior experience with or background knowledge of bug bounty programs.
In addition, be sure to answer the following questions and explain your reasoning in your memo:
• What is a bug bounty program? What are the benefits to the company of having one? What are its limitations?
• What is the connection between bug bounty programs and the Computer Fraud and Abuse Act? Consider the perspectives of the company and independent security researchers.
• When is the right time to create a bug bounty program?
• How are bug bounty programs typically structured?
• What, if any, obligations does a bug bounty program impose on the company? Relatedly, how might the existence of the bug bounty program impact other existing security policies or procedures at the company (e.g., vulnerability management policies)?
• Identify one or two notable controversies involving bug bounty programs and comment on what your company can learn from them.
• Based on what you know about the company and its products, what areas and factors should the company consider if it decides to implement a bug bounty program? How should the company scope the program around its products and services?
• Any additional information you might need to create an effective bug bounty policy?
Research tips: Bug bounty program are also sometimes called “vulnerability disclosure programs” or “coordinated disclosure programs.” While you should have no trouble finding reliable information online, here are some useful resources to get you started
• In July 2017, the Department of Justice’s Cybersecurity Unit published “A Framework for a Vulnerability Disclosure Program for Online Systems.”
• The Software Engineering Institute at Carnegie Mellon University has published an extensive guide, titled the “CERT Guide to Coordinated Vulnerability Disclosure.”
• Major regulatory agencies, including the Federal Trade Commission, the Department of Commerce’s National Telecommunications and Information Administration (NTIA), and others have occasionally commented on the nature of bug bounty programs.
• Bug bounty programs are also the focus of a large number of academic publications.