After the first vulnerability is discovered, companies usually have that "Oh my!" moment, and will continue on with deeper testing. Ellis said, "This means that you've progressed in your organization. At that point you have fewer bugs."
How do I pitch this to my team and my management?
Ellis said, "Advocates for us are usually quite progressive in how they think" because they aren't looking to make headlines or have notable sound bites. They want to actually improve the outcomes. The question then becomes, "How do you empower the individual to tell that story? There is some stuff that is novel," said Ellis.
In order to be taken seriously, it is most important to be able to clearly articulate the problems. "Look at it from the angle of do we feel like we are getting ROI and bang for our buck? If yes, then why are we settling for that? Is there a way we can improve?" said Ellis.
Money is a language executives and board members understand. Ellis said, "What they are asking is actually 'here are these budget line items that we've had for years. How do we get better benefit from it? How do we assess the alternatives to do vulnerability discovery?'" If you gain an understanding of what is being spent on programs that have an analogous outcome, you can broach the topic with more confidence.
In bringing the bug bounty conversation to the table, you need to be prepared for what has traditionally been the biggest hurdle for companies to get over-the perception of risk around this model.
You might find some success by weighing out risk vs reward. The risk is engaging a new idea of trusting people from the outside. To assuage those concerns, Bugcrowd has added tiers of trust, Ellis said. "If the vulnerability is there, you can't control what an adversity is going to do, you can only control where you are vulnerable," he continued.
Trust the skills and knowledge that got you to the job, and as Bastian so many times said to Atreyu, "Be confident!"
Sign up for Computerworld eNewsletters.