How we run our bug bounty program
It’s a fact that any larger code base is bound to have bugs in it. Over the years, there have been many estimates of the relationship between lines of code and the numbers of bugs it contains. A frequently quoted estimate comes from Steve McConnell and his book Code Complete where he writes that the industry average is “about 15–50 errors per 1000 lines of delivered code."
But regardless of the ratio between lines of code and errors, some of these inconsistencies will unfortunately lower the security level of the system running the code.
Since security is a serious matter for Contentful, we use a bug bounty program as part of our efforts to deliver secure and high-quality services to our customers.
What is a bug bounty program?
A bug bounty program is a way for companies to financially reward hackers and security researchers for responsibly reporting vulnerabilities. The report usually contains a technical description on how the vulnerability was discovered, so that the receiver can verify the report’s accuracy. The reporter also vows to keep the discovered vulnerability secret from the general public until the vendor has had time to correct it.
In most bug bounty programs there’s a close relationship between the seriousness of the discovered vulnerability, and the amount paid out to the person who reported it.
Bug bounty program vs. regular penetration testing
Traditional penetration testing is one tried-and-tested way of finding and reporting vulnerabilities. However, a potential downside can be that regular penetration tests are often carried out during a limited amount of time, with a small number of penetration testers working against a tightly defined scope.
With an ongoing bug bounty program, you instead get a continuous penetration test that can attract the attention of a larger number of highly talented people. And working together with such a diverse group of individuals also means that you get access to a wide variety of creative minds.
Contentful has been working with Bugcrowd for over a year. Besides getting access to a good number of security-minded testers, the primary reason for using Bugcrowd was to better coordinate incoming security reports. And, their triage and validation services work incredibly well.
In the past, potential vulnerabilities were reported to Contentful by sending a message to our support staff. Now that we use an ongoing managed bug bounty program, our support staff won’t have to bother with trying to decipher vulnerability descriptions or try to interpret proof-of-concept examples.
Instead, the reports directly end up where they belong - in the hands of our security experts.
A typical workflow
After we receive a report on a potential security issue, we try to quickly verify its accuracy and the potential impact. We do this by checking if the suggested vulnerability has been previously reported, and if we can reproduce the potential security flaw as described by the reporter.
At this stage, using a bug bounty program serves two purposes:
- The reporter gets a confirmation saying that the finding is indeed a security issue.
- The reporter now knows that we are working to fix the issue, and that they will receive financial compensation for reporting the issue if the report is valid.
120 reports and counting
We have to date received 120 reports on potential security concerns from a total of 50 Bugcrowd members. The reports have addressed a range of issues such as XSS vulnerabilities, misconfigurations and authentication flaws.
While not all of the 120 reports could be verified as security issues, a number of them led to some type of mitigative action on our side.
Safer than ever before
Fairly compensating the security community for finding flaws in our products is vital to us. We believe that using the best bug bounty platform for the entire process, from the initial report to bounty payout, has made our products and services safer than ever before.
We’re also working on expanding the current bug bounty scope to include features and services that are in non-public beta. We aim to go forward with the expansion in close relationship with security researchers that have previously found security vulnerabilities in our products.
While we still continue to do traditional penetration testing of our services, we feel that having an ongoing bug bounty program creates an overall more secure product. That’s good news for both our customers and us.