This feature is part of a series focused exclusively on cybersecurity. To view other posts in the series, check out the spotlight page.
In September, Yelp launched its first public bug bounty program. The company has a robust and talented security team of its own. So why open up its systems to hackers?
"No software product is perfect," said Vivek Raman, head of security at Yelp. "Instead of hoping we found all the bugs, we’d rather invite hackers to help us identify them so we can fix them faster. A bug bounty also helps us build a great relationship with the hacker community."
It’s not Yelp’s first experience with bug bounties. The company launched a private bug bounty program two years ago.
"We’ve been able to identify a lot of bugs and issues on our own, but launching a private program helped us speed up that process and identify and resolve issues faster," said Raman. "Now going into a public program, we’re hoping to continue to improve that process and create the most secure version of Yelp possible. Our security team has matured a lot over the last few years and we’re ready to take on the responsibility of running such a transparent program."
Twenty-one years in the making...
In 1995, Netscape launched what is widely considered the very first bug bounty program, offering cash rewards to those who were able to find security bugs in their Netscape Navigator 2.0 Beta.
Netscape may have been an early adopter, but today’s security landscape is also much different than it was in the 1990s. Today, more valuable information is available online and cybercriminals seem to have little difficulty getting around even the most robust security systems.
Bug bounties have become a best practice in the tech industry and have proven incredibly effective in identifying potential vulnerabilities. Large companies like United Airlines, Western Union, Tesla Motors and Fiat Chrysler have all launched bug bounty programs over the last few years.
"Companies can go it alone when it comes to trying to find bugs and other vulnerabilities," said Marten Mickos, HackerOne CEO. "But asking the community for help can be much more effective."
"It’s kind of like a Neighborhood Watch program. You can never build a home that is completely perfect, but if you ask your neighbors to help watch over your home, you'll be safer," Mickos said.
HackerOne — which was recently selected to help the Pentagon run its ground-breaking Hack the Pentagon bug bounty program — connects companies of all sizes to a worldwide consortium of talented hackers.
"They are free agents and they can work on any program," said Mickos. "That's how you get this amazing effect out of bug bounty programs."
The right mindset
Bug bounty programs are best for companies that have already taken their security programs as far as they can in-house or via a third party audit. Committing to a bug bounty program also requires that a company have the right mindset. They should be dedicated to the process and in a place where they are ready to ask for and receive input, explained Mickos.
"You have to have the mindset of 'please tell me if I have spinach in my teeth.' Please tell me about my vulnerabilities," said Mickos. "Not every company is there yet. Once they say, 'we're confident enough to receive the report,' then they will also be confident enough to fix any issues and they will be much more secure."
It’s also important to consider whether a public or private program is best for the organization. Companies typically start with a private program wherein they invite just a few very good hackers to examine a company’s networks, Mickos said. This also provides the company a manageable amount of feedback so they don’t get inundated, while allowing them to get accustomed to typical bug bounty processes and procedures.
For Yelp, it made sense to start with a private program.
"I wouldn’t recommend that anyone jump into a public program as their first experience with a bug bounty," said Raman. "It takes a lot of experience and commitment to run even a private bug bounty program, much less a public one. We learned a lot from our private program, and it prepared us to handle the volume of reports we expect to get in public mode while keeping our response time fast."
Companies like HackerOne can also handle triage of the reports post-bug bounty, meaning they can help a company figure out which vulnerabilities are most critical, as well as handle payments to hackers. What they can’t typically do is fix the vulnerabilities the hackers identify. And that, of course, is a critical component a company participating in a big bounty must also prepare for.
"The companies that get the most out of bug bounty programs have good relationships between their security teams and engineering teams, and a commitment from the engineering team to fast track vulnerabilities so they can get fixed quickly," said Mickos.
More than meets the eye
Based on his experience with bug bounties thus far at Yelp, Raman said the process is actually about more than just discovering potential vulnerabilities
"There’s a culture shift that has to happen internally to get everyone in the company committed to building more secure products from the ground up, even if that takes more time and resources," said Ramen.
With their new public program, Raman said they aren’t quite sure yet what to expect, but that’s exactly why they launched the program.
"It allows us to leverage the brainpower of an entire community of people who have a range of very specific interests and specialties that we might not have ourselves," he said.