A Bug Bounty Program is a crowdsourced initiative that rewards individuals (security researchers) for independently discovering and reporting software bugs (vulnerabilities, exploits, etc.) in an organization’s Internet-connected assets and applications. Bug bounties are often initiated by security teams to supplement internal code audits and third-party penetration tests. The diverse nature and the sheer numbers of a crowdsourced security approaches allows a more in-depth testing and adds additional layers of security to an organization’s overall vulnerability management strategy.

The National Bug Bounty Program provides a monetary reward to security researchers who reports a “bug” or software vulnerability.Rewards can range from USD 100.00 to in excess of several USD 1000.00 depending on the impact and severity of the vulnerability. National Bug Bounty Program pays security researchers 100% of the bounties earned to ensure proper incentives within the ecosystem.

Vulnerability disclosure programs give security researchers a way to report bugs and provide organizations a way to find and recognize these submissions. Most often, this recognition is in the form of kudos, swag or points.

A Private Bug Bounty Program is invitation-only and not publicized on the public-facing portions of the National Bug Bounty's Program website. Only researchers who have been vetted are invited to participate in private programs – offering more control and specificity. Private programs provide limited scope allowing organizations to grow their programs slowly and quietly, while still realizing the benefits of a crowdsourced approach.

A Public Bug Bounty Program is open to all researchers; open to global security researchers who have registered and been accepted into the program. A public program allows companies to proactively market an aspect of their security operations, build a tighter relationship with the security research community, and elicit submissions from the largest crowd possible.

For the Cyber Security Council National Bug Bounty Program, we believe that a layered approach to security is best. For many organizations, running a variety of vulnerability scanners and penetration tests are a general security best practice. It’s also no secret that, no matter how advanced, automation only goes so far–it finds only what it knows. Penetration tests have a place in many security programs but are limited in perspective and in time and effort. Bug bounties complement any mature security program, filling the gap left by scanners, and exponentially improving the probability of finding results.

We can test anything programmed with code. Our Cyber Security Council National Bug Bounty Program security researchers love testing mobile apps, web apps, hardware, IoT, and everything in between!

The UAE Cyber Security Council National Bug Bounty Program goes through a very specialized vetting process. Anyone can sign up to be a security researcher. To participate in the UAE Cyber Security Council National Bug Bounty Program, requires the security researcher to go through somewhat of a rigorous selection process by our qualified cybersecurity experts. From a high-level perspective, the selection is a three-step process. Step One: we validate the security researcher’s experience and background. Step Two: the security researcher is evaluated on both their technical and doing well on several redactional challenges via our Learning Management System. Step Three: the security researcher has to validate their “Know Your Customer” and identity; which requires each security researcher to provide personal identifiable identification (personal and financial) with valid tax status in order to join the community…and to receive rewards. On other specific bug bounty programs, you may also be requested to provide detail criminal background check and further technical understanding to assess skill level.

Bug bounty and vulnerability disclosure programs have been proven to deliver excellent results in finding and fixing vulnerabilities. Our Cyber Security Council National Bug Bounty's Program anticipates identifying critical vulnerabilities as not every application or system is without errors or oversight. White hat security researchers, or security researchers, are always looking for vulnerabilities, whether invited or not. By providing them with:
1) a way to report these vulnerabilities, and
2) a reward for doing so, organizations can benefit from continuous testing, while paying only for results.
Granting permission for security researcher to test software and systems is a great way to receive more vulnerability findings, giving your organization more knowledge and control, and ultimately reducing risk.

Clear rules of engagement are provided for all researchers to include out of scope activities and unauthorized activities. If the researchers violate these rules of engagement intentionally then they can be removed from participation in future bug bounties. As participation increases and we build a mutually beneficial relationship with the security researcher community the trust also increases.

In our Cyber Security Council National Bug Bounty Program, we have some of the most talented security researchers in the world. Moreover, many of these researchers bug hunt on the side, maintaining full-time jobs as penetration testers, security engineers, and developers. The bug bounty model leverages volume of skilled researchers to yield more, better results. For customers that require a more specific skill-sets, we run private programs with a curated, skills-vetted crowd. If a client has specific country specific requirements for researchers, this can be assessed.

UAE Cyber Security Council National Bug Bounty Program manages payments to researchers who are the first to successfully identify unique vulnerabilities that are in scope of the Bug Bounty Program, following review and approval by the customer (service owner). At the outset of a Bug Bounty Program, the customer will establish and fund a “Rewards Pool” from which UAE National Bug Bounty Program will pay out rewards to successful researchers. Other non-monetary forms of payment may apply, including recognition by the researcher community on UAE National Bug Bounty's Program Wall of Fame & Monthly Leader Boards. UAE National Bug Bounty Program compensates security researchers 100% of the bounties earned to ensure proper incentives within the ecosystem.

The default provision of all Bug Bounty Programs is that all discovered vulnerabilities must be kept confidential. Customers may choose to allow public disclosure of vulnerabilities of general interest following mitigation at customer’s discretion, and are encouraged to consider this option but are not compelled to do so.

Bounties would be evaluated based on the overall severity of the security vulnerability. One widely used metric for evaluating the severity of a security vulnerability is the Common Vulnerability Scoring System (CVSS). Reports are marked with a severity rating to show how severe the vulnerability is on the report submission form. Severity is particularly useful for structuring bounty ranges and is used when offering bounty recommendations. The severity level can be marked as Informative, Low, Medium, High and Critical.

UAE Cyber Security Council National Bug Bounty Program also utilizes CVSS - an industry standard calculator used to determine the severity of a bug. The CVSS enables there to be a common language around the severity of bugs.