“Bug bounty” programs are becoming more popular with developers, especially larger firms that can afford the expenditure. A couple of game studios have also employed the approach, with Riot of League of Legends fame starting one up a few years ago. But how are such programs managed internally?
Riot information security engineer David Rook has both a video presentation and blog post explaining how the game developer handles its program.
Surprisingly, it’s the written post that has the condensed coverage, so if you just want an overview, that’s where you should go:
1. Fight together, not with each other
2. Make researchers feel like part of the team
3. KISS (Keep It Simple, Stupid) when it comes to program scope
4. Value researchers’ time and reward them well
5. Build a world class program to attract the best researchers
The video provides a more in-depth look at Riot’s processes, though the focus is on the day-to-day running of the program. Even if you’re only a smidge curious, it’s definitely worth a watch.
RUNNING A BUG BOUNTY PROGRAM [Riot Games]
Leave a Reply
You must be logged in to post a comment.