Barracuda Networks Research Scientist Daniel Peck previews his BSidesSF talk on what the company learned in the first 90 days of its Bug Bounty program. There have been bumps along the way. It’s been about 90 days since Barracuda Networks became the latest company to launch a bug bounty program, and there have been bumps along the way.Daniel Peck, a research scientist with the company, will explain how things didn’t always go as expected during a BSidesSF talk next week called “Lessons Learned from Running a Bug Bounty Program.” Though not a failure by any stretch, Peck told CSO there have been glitches Barracuda needed to learn from. He’ll outline some of the improvements designed to make the program more successful.Since early November, Barracuda Labs has been soliciting and rewarding security researchers for finding vulnerabilities in Barracuda security appliances. It’s not the first bug bounty program by any means. Google has a program of its own, and last month paid a bug hunter a record $3,133 for reporting a single bug in Chrome.One of the first observations at Barracuda was that the flow of data was lighter than expected, Peck said. “We didn’t see level of bugs that we expected, and we’re not totally sure of why that is,” Peck said, noting that 15 separate e-mailed submissions covering a total of 32 bugs came in during the first 90 days. “We expected a wider variety of bugs, but what we’ve seen are exclusively web app bugs.”One reason for the lack of variety could be a lack of access to Barracuda technology, he said. To remedy that, the company plans to set up a hacking lab this year. Researchers will have access to Barracuda products for testing in scheduled time blocks. Another lesson is that hackers tend to live by their own rules and schedules, Peck said. As a result, some submissions had to be tossed out for not adhering to the Barracuda guidelines. “Hackers are not known for following directions, and some of what came in was not in scope,” Peck said. “We should have been better prepared for that.”Meanwhile, internal communications on the bounty program were somewhat turbulent, Peck said. While there was buy-in from all the departments prior to launch, expectations of what it would involve differed in some departments. “We learned you have to make sure everyone internally is on board. We launched this quickly and had the buy-in, but some questions weren’t addressed on the developer and QA side; not enough explanation of what the program was about and how they could benefit from it. There was some trepidation among developers about opening this stuff up.”With all this in mind, Peck said, the talk will be about what Barracuda learned about its limitations and will include tips on how researchers can have more success with the program. Related content news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Security feature Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report CISA’s recommendations for vendors, developers, and end-users promote a more secure software ecosystem. By Chris Hughes Sep 21, 2023 8 mins Zero Trust Threat and Vulnerability Management Security Practices news Insider risks are getting increasingly costly The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. By Jon Gold Sep 20, 2023 3 mins Budget Data and Information Security news US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks Cyber insurance claims frequency increased by 12% in the first half of 2023 while claims severity increased by 42% with an average loss amount of more than $115,000. By Michael Hill Sep 20, 2023 3 mins Insurance Industry Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe