Bug Bounty from a CISO perspective: Value, responsibility and collaboration
Christophe Monigadon, Chief Information Security Officer at the Swiss National Science Foundation (SNSF), shares his experiences with bug bounty programs, internal challenges, and why the effort is worthwhile.
Christophe, to start, can you briefly tell us about the Swiss National Science Foundation? What exactly does your organization do?
The Swiss National Science Foundation (SNSF) is a private foundation funded by the Swiss Confederation. Our mission is to promote scientific research in Switzerland. Researchers submit applications to us, which are evaluated by internal and external experts. Based on these assessments, the relevant SNSF committees decide on the allocation of funding. This process is managed via a digital platform that we continuously develop.
Why did you decide to go with a bug bounty program?
For us, bug bounty is a valuable complement to traditional penetration testing.
A penetration test is always very focused and limited in time. In a bug bounty program, on the other hand, you are continuously testing.
At the same time, you benefit from the diversity of expertise involved. In a traditional penetration test, findings are explored in a more targeted way. With bug bounty, you gain insights you might not otherwise discover.
For us, it is a very valuable addition to existing measures.
What was the biggest challenge for you at the beginning?
You are introducing a new approach alongside traditional penetration testing, which is already carried out regularly. That needs to be well communicated internally.
Once there is a shared understanding of the value, things become much easier.
A penetration test is always time-limited. In a bug bounty program, you are continuously testing.
What role do you play as a customer in the program?
It is important not to underestimate that you still carry internal responsibility. We have an obligation to review and process findings.
GObugfree handles validation and triage of submissions. However, responsibility for internal evaluation and remediation lies with us as the customer. This is not something you can fully delegate.
And because the program runs continuously, you also need to ensure the necessary resources are available on an ongoing basis.
How does the collaboration work in practice?
We use a shared platform and are notified about new findings.
After pre-validation by GObugfree, our experts review the reports and decide how to proceed.
Thanks to the pre-validation by GObugfree, we only receive findings that are worth taking a closer look at. That makes our day-to-day work much easier.
We have a common denominator. We are talking about the same things. The method creates a shared basis and makes collaboration with developers much easier for me as a CISO.
What concrete benefits does the program bring to your day-to-day work?
The program brings several tangible benefits in everyday operations. For example, it helps me collaborate more directly with our developers.
We have a common denominator and speak the same language. The method creates a shared foundation and makes my work significantly easier.
Why did you choose to work with GObugfree?
An important factor for us was the end-to-end service. We can rely on GObugfree to handle the validation of findings, while we take care of the remaining processes.
What would you recommend to organizations considering a bug bounty program?
A bug bounty program needs to be well prepared. Organizations must be ready to allocate the necessary internal resources to review and process findings.
Under these conditions, a bug bounty program delivers real added value, especially because it uncovers new insights through an exploratory approach and reveals issues that might otherwise remain hidden.