Bug Bounty programs or "Bug Bounties" encourage reporters including vulnerability finders, researchers, ethical hackers, and so on to submit vulnerabilities to an organization for typically monetary rewards. Simply put, a Bug Bounty program is a supporting function of an existing Vulnerability Disclosure Program (VDP). Organizations reap the benefits of VDPs and Bug Bounty programs because they allow for a diverse group of folks outside of an organization to test for vulnerabilities. The following are a few frequently asked questions about Bug Bounty programs at Cisco.
Q: What is the difference between private vs. public bug bounty programs?
When organizations create a bug bounty, they can choose to do it privately or publicly. A private bug bounty allows an organization to invite specific researchers into the program. Because there are a limited number of reporters at any given time, the volume of vulnerability reports is typically lower. Organizations just starting out may opt for a private program before a public program due to the lower volume of reporting. Private programs that provide vetting of participants may also provide more controls and higher quality findings.
Public programs, on the other hand, are open to any vulnerability reporter because public bug bounty programs are not invitation only. Organizations should be prepared for a spike in reports if they move from a private to public program.
Q: Does Cisco have a bug bounty program?
Most of the bug bounties at Cisco are private and managed by different bug bounty platforms such as HackerOne and Bugcrowd. Several Cisco product teams currently have bug bounty programs:
Q: I am a security researcher; how can I participate in a Cisco bug bounty program?
Security researchers can participate in the public bug bounty programs of Kenna Security, Meraki, and ThousandEyes. Cisco private bug bounty programs are managed by different bug bounty platforms and security researchers are privately invited by those providers.
Q: How does Cisco disclose vulnerabilities found in bug bounty programs?
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.