Barracuda Networks: Bug bounty program not without bumps

It’s been about 90 days since Barracuda Networks became the latest company to launch a bug bounty program, and there have been bumps along the way.

Daniel Peck, a research scientist with the company, will explain how things didn’t always go as expected during a BSidesSF talk next week called “Lessons Learned from Running a Bug Bounty Program.” Though not a failure by any stretch, Peck told CSO there have been glitches Barracuda needed to learn from. He’ll outline some of the improvements designed to make the program more successful.

Since early November, Barracuda Labs has been soliciting and rewarding security researchers for finding vulnerabilities in Barracuda security appliances. It’s not the first bug bounty program by any means. Google has a program of its own, and last month paid a bug hunter a record $3,133 for reporting a single bug in Chrome.

One of the first observations at Barracuda was that the flow of data was lighter than expected, Peck said.

“We didn’t see level of bugs that we expected, and we’re not totally sure of why that is,” Peck said, noting that 15 separate e-mailed submissions covering a total of 32 bugs came in during the first 90 days. “We expected a wider variety of bugs, but what we’ve seen are exclusively web app bugs.”

One reason for the lack of variety could be a lack of access to Barracuda technology, he said. To remedy that, the company plans to set up a hacking lab this year. Researchers will have access to Barracuda products for testing in scheduled time blocks.

Another lesson is that hackers tend to live by their own rules and schedules, Peck said. As a result, some submissions had to be tossed out for not adhering to the Barracuda guidelines. “Hackers are not known for following directions, and some of what came in was not in scope,” Peck said. “We should have been better prepared for that.”

Meanwhile, internal communications on the bounty program were somewhat turbulent, Peck said. While there was buy-in from all the departments prior to launch, expectations of what it would involve differed in some departments.

“We learned you have to make sure everyone internally is on board. We launched this quickly and had the buy-in, but some questions weren’t addressed on the developer and QA side; not enough explanation of what the program was about and how they could benefit from it. There was some trepidation among developers about opening this stuff up.”

With all this in mind, Peck said, the talk will be about what Barracuda learned about its limitations and will include tips on how researchers can have more success with the program.