The creation and management of test accounts play a pivotal role in preparation for bug bounty programs. This article addresses key considerations and potential challenges associated with creating test accounts, focusing on supporting bug bounty initiatives in both single and multi-tenancy software environments.
Considerations for Test Account Creation
Self-Registering
To streamline the testing process and save valuable team resources on your end, consider providing researchers with the ability to register their own test accounts. This empowers program participants to create accounts with minimal to no intervention from you, fostering a more efficient bug bounty program. Intigriti researchers do have the option to sign up using their Intigriti email alias helping you to detect their created accounts.
Comprehensive User Role Testing
Consider offering accounts for all available user roles within the application to uncover potential vulnerabilities associated with varying levels of access. Thorough exploration of different roles ensures a comprehensive bug bounty testing result.
Multi-Tenancy
Establish an account sharing procedure that allows the creation of users across tenant boundaries to allow testing for additional attack cases.
Rapid or Automated Account Creation
Install a process for fast and efficient creation of test accounts and credentials, ensuring scalability in case additional accounts are needed during bug bounty testing. This agility allows for a seamless adaptation from e.g. a private to a registered or public bounty program.
Security Measures and MFA
If you have implemented robust security measures for test accounts, including Multi-Factor Authentication (MFA), ensure that MFA tokens can be easily exchanged with the researchers to access the testing environment to prevent unnecessary complexities.
Data Isolation and Testing Environment
Isolate test accounts from production data and offer test environments to prevent unintended interactions if possible. This is beneficial for safeguarding sensitive information and maintaining the availability of test environments during bug bounty testing.
Personal Information
When setting up test accounts, careful consideration must be given to requirements related to personal information. While comprehensive testing is essential, it's crucial to balance the need for realism with user privacy concerns. Avoid the need to incorporate sensitive data such as credit card numbers, mobile verification, or actual addresses in test accounts to prevent any unintended exposure or misuse.
Cost Control
Introduce expenditure limits for functionality that creates actual cost such as ordering services from 3rd parties. Alternatively, block the feature for testing purposes or provide a demo setup with dummy purchases.
Account Rotation and Expiration
Provide a possibility to extend existing test accounts if they have an expiration date or an option to retrieve a new account after a test account has fully expired.
Additional Best Practices
Data Residue
Establish processes to regularly clean up or reset data generated by test accounts in case your test environments cannot host many accounts and user data. A clean testing environment also aids researchers in focusing on legitimate vulnerabilities. This is especially important if shared accounts / environments are inevitable.
Account Overload
Monitor system resources during bug bounty testing to identify and address issues related to a large number of test accounts and user requests. Ensuring system stability is crucial for providing researchers with a reliable testing environment.
Credential Management
Securely manage passwords for test accounts by using Intigriti’s in-platform credential management feature. Avoid using production passwords for all shared accounts.
Special Test Setup
In scenarios where the standard approach to test account creation may not align with specific testing requirements, you are encouraged to proactively reach out to your Customer Success Manager who will connect you with the Intigriti Technical Success Team. This team is dedicated to collaborating closely with you to craft a tailored and secure setup that accommodates the unique demands of your bug bounty program. Recognizing that only you possess insights into your own test environment, the TSM team will still have to build on top of your expertise of your own application. By exploring your setup together, we aim to provide a customized and effective bug bounty testing experience for both your and the researcher community.
Conclusion
Efficient test account creation and management are crucial for the success of bug bounty programs. Whether operating in single or multi-tenancy environments, addressing these considerations proactively, including MFA token management, ensures a testing environment that facilitates vulnerability discovery resulting in high researcher activity.