SecTemplates.com

Made two updates to the bug bounty pack to clarify researcher payouts, and a small disclaimer on not kicking off a bounty as your first security step.

GitHub: https://github.com/securitytemplates/sectemplates/tree/main/bug-bounty/v1

Updates: https://github.com/securitytemplates/sectemplates/blob/main/bug-bounty/v1/UPDATES.md

Bug Bounty v1 Announcement: https://www.sectemplates.com/2024/07/announcing-the-bug-bounty-program-pack-10.html

Introduction

Several times in my enterprise security career I experienced challenges when it came to security defect/vulnerability handling and management.

1. When I joined eBay in 2006, the security team was fairly small and I recall filing a cross-site scripting vulnerability to an engineering team with a specific priority level. However, another coworker from a different team was consulted on the issue and indicated that the priority was lower. It quickly became apparent that within the security team, we lacked a common agreement on how priorities should be set or how vulnerabilities should be managed and responded to.
2. When I joined Paypal the security team was about 5 people, and I joined as the first application security engineer. During my tenure there I had to build what would now be called a 'vulnerability management program' from scratch. Through trial and error an initial program was developed. I touched on aspects of the program I built back in 2009, and again in more comprehensively in 2011 on one of my other side projects. 
3. When I lead application security at Box Inc, it was more of the same, we had similar challenges and had to create a program from scratch. Some of our solutions involved automation, much of which will be discussed in this program pack.
   

Having spoken with many peers who have built, or own enterprise vulnerability management programs, many of them are utilizing simplified versions of more comprehensive programs others have blogged about.  During these interviews with my peers it became obvious that most of us weren't doing anything fancy, and most of us were doing far less than larger, more mature companies.

At every company I've worked at with a VM program, there have been many 'gotchas' that slowed things down and caused headaches. The goal of this release pack is to share what I have found to work well enough to establish a minimal vulnerability management program, and get you from 0-1.

- Robert Auger (@robertauger)

Vulnerability Management Program Pack 1.0

Welcome to the Vulnerability Management Program Pack. The goal of this release is to provide all the necessary resources to establish and set up a fully functioning vulnerability management program at your company.

In this pack, we cover:

Vulnerability Level Definitions: This document outlines vulnerability severity levels to help your company consistently evaluate and prioritize discovered issues. It also provides standard remediation SLAs as a baseline for setting remediation expectations.
Vulnerability Reporting Requirements: This document describes the minimal information needed in a vulnerability report to support evaluation and prioritization. It also includes examples of automation that can be used to report vulnerability remediation expectations to risk owners.
Vulnerability Program Preparation Checklist: This checklist provides a step-by-step guide to researching, piloting, testing, and rolling out vulnerability tracking at your company. It also discusses examples of automation for tracking vulnerability ticket health and oversight.
Vulnerability Management Process Diagram: This diagram outlines the various steps to perform when automation runs, ensuring stakeholders are well-supported and ticket health is properly managed. It aligns with the content in the Vulnerability Program Preparation Checklist.
Vulnerability Management Runbook: This runbook contains the steps outlined in the process diagram as a checklist, with a strong focus on ticket health oversight and stakeholder support.
Vulnerability Management Metrics: This document outlines common, baseline metrics for managing vulnerabilities at your company.

Download on Github:

https://github.com/securitytemplates/sectemplates/tree/main/vulnerability-management/v1

To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations.

Introduction

I have participated in, and built bug bounty programs at companies such as PayPal and Box and supported similar programs at several other companies. Below is part of a whiteboard session from 2012, conducted before launching PayPal's bug bounty program, where we were determining payout amounts and the logistics of compensating researchers.

At that time bug bounty providers like Bugcrowd or HackerOne, were just starting and unknown, so we had to manage all the details ourselves. We consulted with Google and Mozilla to understand the logistics of running a program, as it was relatively new and not much information was publicly available. Establishing a bug bounty program involves considerable effort and careful thought. There are numerous considerations beyond selecting a provider, many of which are often overlooked in public documentation. The goal of the Bug Bounty Program pack is to help people quickly ramp up on the topic, providing them with the necessary information to begin their journey and ultimately launch a program.

- Robert Auger (@robertauger)

Bug Bounty Program Release Pack 1.0

I'm pleased to announce our third release, the Bug Bounty Program release pack.  The goal of this release is to provide you with everything you need to establish a bug bounty program. This includes alignment with stakeholders, working with a vendor, establishing a private bug bounty, and ultimately moving to a public bug bounty. This release pack is not sponsored or influenced by any particular bug bounty vendor and is neutral to vendor biases and influence.

In this pack, we cover:

Preparation Checklist: This checklist provides every step required to research, pilot, test, roll out, and expand a bug bounty program at your company.
Reporting Requirements: This document outlines the required information you'll need from a security researcher or vulnerability reporter as part of a bug bounty program.
Sample Bug Bounty Policy: This document contains a sample bug bounty policy that you can copy, adjust, and publish on your site.
Submission Response Templates: This document provides copy/paste message/email templates that can be used to communicate with external security researchers for the most common scenarios.
Bug Bounty Process Workflows: This diagram outlines the various steps to perform once a bug bounty program is established and you start receiving vulnerability reports. From verifying the issue to pulling in stakeholders for support, managing incidents, and public notifications. It aligns roughly with the context in the bug bounty checklist.
Bug Bounty Runbook: A runbook the security team can use to ensure consistent steps are followed when a vulnerability report is received.
Bug Bounty Metrics: This file contains sample, baseline metrics for tracking your bug bounty program and reporting on it internally.

Download on GitHub:

https://github.com/securitytemplates/sectemplates/tree/main/bug-bounty/v1

To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations.

Upcoming releases - Vulnerability Management Program Pack 1.0

Our vulnerability management program pack will provide you with everything to establish and setup a fully functioning vulnerability management program at your company.

Previous releases

External Penetration Testing release pack 1.0

This release contains everything you need to scope your first pentest, work with a vendor, execute, and get the types of reports you need from an external tester. This will enable you to perform your first product or infrastructure level penetration test, and provide you with a process moving forward for future engagements.

Download on GitHub: https://github.com/securitytemplates/sectemplates/tree/main/external-penetration-testing/v1/

The goal of this release is to provide you with everything you need to establish a functioning security incident response program at your company.

Download on GitHub: https://github.com/securitytemplates/sectemplates/tree/main/incident-response/v1

I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the resources for an internal penetration testing program, you're going to need to work with external vendors to perform your testing. This release pack outlines the process I have used successfully, for more than a decade, for kicking off and managing an external pentest.

Robert Auger (@robertauger)

I'm pleased to announce our second release, the External Penetration Testing Program release pack. This release contains everything you need to scope your first pentest, work with a vendor, execute, and get the types of reports you need from an external tester. This will enable you to perform your first product or infrastructure level penetration test, and provide you with a process moving forward for future engagements.

In this pack, we cover:
Preparation Checklist: This checklist outlines everything you need to scope and perform an external penetration test with a third party.
Penetration Testing Reporting Requirements: This document provides a list of minimal requirements that should be contained within a penetration testing report. Before finalizing a SOW with the vendor, look here first.
Penetration Testing Process Workflow: An outline of a simplified pentesting process with an external tester. It aligns roughly with the content in the penetration testing checklist.

https://github.com/securitytemplates/sectemplates/tree/main/external-penetration-testing

To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations.

Our bug bounty release pack will provide you with everything you'd need to establish a bugbounty program. This includes working with a vendor, establishing a private bug bounty, and ultimately moving to a public bug bounty. This release pack is not sponsored, or influenced by any particular bug bounty vendor and is neutral to vendor biases and influence.

The goal of this release is to provide you with everything you need to establish a functioning security incident response program at your company.

Download on GitHub: https://github.com/securitytemplates/sectemplates/tree/main/external-penetration-testing/v1 

I'm pleased to announce our first release, the Incident Response Program Pack. The goal of this release is to provide you with everything you need to establish a functioning security incident response program at your company.

In this pack, we cover

• Definitions: This document introduces sample terminology and roles during an incident, the various stakeholders who may need to be involved in supporting an incident, and sample incident severity rankings.
• Preparation Checklist: This checklist provides every step required to research, pilot, test, and roll out a functioning incident response program.
• Runbook: This runbook outlines the process a security team can use to ensure the right steps are followed during an incident, in a consistent manner.
• Process workflow: We provide a diagram outlining the steps to follow during an incident.
• Document Templates: Usable templates for tracking an incident and performing postmortems after one has concluded.
• Metrics: Starting metrics to measure an incident response program.

Download on GitHub:
https://github.com/securitytemplates/sectemplates/tree/main/incident-response/v1

Licensing
This project utilizes a modified creative commons license.

About SecTemplates
To provide simplified, free, and usable open-source templates to enable engineering and smaller security teams to bootstrap security capabilities in their organizations.

I'd like to announce the creation of sectemplates.com, a website where infosec professionals, and startup engineering teams lacking a security team, can find templates to help bootstrap their programs. The primary focus of this site will be to provide starting points for

• Runbooks
• Document templates
• Programs and their associated processes
• Useful security metrics

Templates are free to use for personal and commercial use, with the exception of including them in a product that's for sale.