Barracuda Networks Research Scientist Daniel Peck previews his BSidesSF talk on what the company learned in the first 90 days of its Bug Bounty program. There have been bumps along the way. It’s been about 90 days since Barracuda Networks became the latest company to launch a bug bounty program, and there have been bumps along the way.Daniel Peck, a research scientist with the company, will explain how things didn’t always go as expected during a BSidesSF talk next week called “Lessons Learned from Running a Bug Bounty Program.” Though not a failure by any stretch, Peck told CSO there have been glitches Barracuda needed to learn from. He’ll outline some of the improvements designed to make the program more successful.Since early November, Barracuda Labs has been soliciting and rewarding security researchers for finding vulnerabilities in Barracuda security appliances. It’s not the first bug bounty program by any means. Google has a program of its own, and last month paid a bug hunter a record $3,133 for reporting a single bug in Chrome.One of the first observations at Barracuda was that the flow of data was lighter than expected, Peck said. “We didn’t see level of bugs that we expected, and we’re not totally sure of why that is,” Peck said, noting that 15 separate e-mailed submissions covering a total of 32 bugs came in during the first 90 days. “We expected a wider variety of bugs, but what we’ve seen are exclusively web app bugs.”One reason for the lack of variety could be a lack of access to Barracuda technology, he said. To remedy that, the company plans to set up a hacking lab this year. Researchers will have access to Barracuda products for testing in scheduled time blocks. Another lesson is that hackers tend to live by their own rules and schedules, Peck said. As a result, some submissions had to be tossed out for not adhering to the Barracuda guidelines. “Hackers are not known for following directions, and some of what came in was not in scope,” Peck said. “We should have been better prepared for that.”Meanwhile, internal communications on the bounty program were somewhat turbulent, Peck said. While there was buy-in from all the departments prior to launch, expectations of what it would involve differed in some departments. “We learned you have to make sure everyone internally is on board. We launched this quickly and had the buy-in, but some questions weren’t addressed on the developer and QA side; not enough explanation of what the program was about and how they could benefit from it. There was some trepidation among developers about opening this stuff up.”With all this in mind, Peck said, the talk will be about what Barracuda learned about its limitations and will include tips on how researchers can have more success with the program. Related content news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe