How companies like Facebook find bugs that matter
Bug bounty programs are instrumental in categorising bugs, triaging, prioritising, and shutting down vulnerabilities before they blow up.
Tech companies large and small, both established and quickly rising in the ranks, have all seen the value of using hacker-powered security to scale their security team and find bugs before attackers exploit them.
We’ve noticed three ways tech leaders use bug bounties to keep their users safe.
They Focus On Bugs That Matter
Not all bugs are created equal. It’s essential to prioritise bugs based on severity and impact. A layered application security strategy uses several techniques, including both automated scanners and human testers, to find vulnerabilities at every stage of development.
According to a recent article contributed by Facebook to the Communications of the A.C.M. magazine, Facebook focuses on finding the bugs that matter. First, they “use static analysis to prevent bugs that would affect our products, and we rely on our engineers’ judgment as well as data from production to tell us the bugs that matter the most.”
Facebook also knows that some bugs make it past automated scanners. They collect statistics on crashes in production to help troubleshoot problems. They also use a bug bounty program, so “people from outside the company can report vulnerabilities on Facebook, or apps in the Facebook family.”
Facebook isn’t the only tech company to see the benefits of a bug bounty program. In July 2018, Intel paid US$100,000 in bug bounties to hackers who found two new variants of the Spectre vulnerability in Intel’s microprocessors.
Use hacker-powered security to find the bugs that matter before they get exploited in the wild.
They Get Access To The Best Community of Hackers
Hacker-powered security does more than test your software. It gives you access to a diverse skill set that’s hard to find consistently in every pen-testing team.
GitHub appreciates the efforts of hard-working researchers on their behalf. A blog post in February 2019 celebrates the fifth anniversary of Git Hub’s bug bounty program. The program has expanded to include all first-party services hosted under the github.com domain, including Git Hub’s desktop application. The program has also opened up Git Hub’s internal systems, so they keep their employees safe as well as their customers.
What does GitHub think of the security researchers brought to them by their bug bounty program? The blog post mentions, “Over the past five years, we have been continuously impressed by the hard work and ingenuity of our researchers.”
GitHub states that “the bounty program remains a core part of Git Hub’s security process, and we’re learning a lot from our researchers.”
Grammarly takes security seriously, employing a talented team of security experts. But they know the power of a large community of hackers backing them up.
That’s why Grammarly made their bug bounty program public in December of 2018.
“We have a committed team of security engineers and experts, but we also know that close collaboration with a talented group of security researchers will lead to a better, more secure product.
In today’s rapidly evolving security threat landscape, it’s essential to be armed with the right toolkit to protect user security and data privacy. After successfully running a private bug bounty program with HackerOne for over a year — currently with nearly 1,500 participants — we’re ready to launch a broader public program to enhance our security posture even further. We firmly believe that this gives us access to the best resources to help mitigate vulnerabilities, ward off attackers, and — ultimately — protect our users.”
Shopify agrees with GitHub and Grammarly. In a recent blog post announcing that they’ve paid hackers over US$1 million in bug bounties, they outline why they love the community that helps them every day.
“At Shopify, bounty programs complement our security strategy and allow us to leverage a community of researchers who help secure our platform. They each bring their perspective and specialties and are can[sic] evaluate our platform from thousands of different viewpoints to create a better Shopify product and a better user experience for the 800,000+ businesses we safeguard.”
Finding bugs that matter is essential to building a successful business today. You can find them when you have the best team of researchers on the planet by your side.
They Take Security Seriously
Shopify takes security seriously. The e-commerce platform is growing like crazy, and they want to make sure application security isn’t left behind with the growth. Not only have they paid over US$1 million to hackers, but they also work hard to triage and disclose the vulnerabilities found.
According to Shopify’s bug bounty year-in-review for 2018, “when someone is the dedicated “triager” for the week at Shopify, that becomes their primary responsibility with other projects becoming secondary. Their job is to ensure we quickly review and respond to reports during regular business hours.”
Sharing vulnerabilities is essential to Shopify, and they’ve fully embraced the help of talented security researchers. They share vulnerabilities because “contrary to what a lot of companies believe, we believe it engenders more trust and faith from our merchants, not less. Something inevitably falls through the cracks and having researchers discover and share them with us, rather than exploiting them, is a win-win situation.”