Hacking Contentful

How we run our bug bounty program

Hacking Contentful

It’s a fact that any larger code base is bound to have bugs in it. Over the years, there have been many estimates of the relationship between lines of code and the numbers of bugs it contains. A frequently quoted estimate comes from Steve McConnell and his book Code Complete where he writes that the industry average is “about 15 - 50 errors per 1000 lines of delivered code”.

But regardless of the ratio between lines of code and errors, some of these inconsistencies will unfortunately lower the security level of the system running the code.

Since security is a serious matter for Contentful, we use a bug bounty program as part of our efforts to deliver secure and high-quality services to our customers.

What is a bug bounty program?

A bug bounty program is a way for companies to financially reward hackers and security researchers for responsibly reporting vulnerabilities. The report usually contains a technical description on how the vulnerability was discovered, so that the receiver can verify the report’s accuracy. The reporter also vows to keep the discovered vulnerability secret from the general public until the vendor has had time to correct it.

In most bug bounty programs there’s a close relationship between the seriousness of the discovered vulnerability, and the amount paid out to the person who reported it.

The HackerOne bug bounty platform

HackerOne is today’s largest bug bounty coordination platform. Since its launch in 2012, HackerOne has been used by the security community to responsibly report over 40 000 security issues for a variety of customers like Google, Facebook and of course Contentful.

Using HackerOne, participating companies and organizations get access to the unique skills and minds of thousands of reliable hackers and security researchers.

HackerOne vs. regular penetration testing

Traditional penetration testing is one tried-and-tested way of finding and reporting vulnerabilities. However, a potential downside can be that regular penetration tests are often carried out during a limited amount of time, with a small number of penetration testers working against a tightly defined scope.

With an ongoing program like HackerOne, you instead get a continuous penetration test that can attract the attention of a larger number of highly talented people. And working together with a such a diverse group of individuals also means that you get access to a wide variety of creative minds.

Deciding on HackerOne

Contentful has been using the HackerOne platform for about a year. Besides getting access to a good number of security-minded testers, the primary reason for using HackerOne was to better coordinate incoming security reports.

In the past, potential vulnerabilities were reported to Contentful by sending a message to our support staff. Now that we use HackerOne, our support staff won’t have to bother with trying to decipher vulnerability descriptions or try to interpret proof-of-concept examples.

Instead, the reports directly end up where they belong - in the hands of our security experts.

A typical workflow

After we receive a report on a potential security issue, we try to quickly verify its accuracy and the potential impact. We do this by checking if the suggested vulnerability has been previously reported, and if we can reproduce the potential security flaw as described by the reporter.

At this stage, using HackerOne serves two purposes:

  1. The reporter gets a confirmation saying that the finding is indeed a security issue.
  2. The reporter now knows that we are working to fix the issue, and that they will receive financial compensation for reporting the issue if the report is valid.
95 reports and counting

We have to date received 95 reports on potential security concerns from a total of 62 HackerOne members. The reports have addressed a range of issues such as XSS vulnerabilities, misconfigurations and authentication flaws.

While not all of the 95 reports could be verified as security issues, a number of them led to some type of mitigative action on our side.

Lessons learned

HackerOne is undoubtedly a great platform. But that doesn’t mean that we got everything right from the very beginning.

For example, we learned early on that clear communication is key. This includes making sure that the reporter knows that we have received the report, and that we have verified it as a new vulnerability. It also includes that the reporter knows when the bug bounty will be paid.

We also learned that it’s important to comprehensively explain the technical scope of the bug bounty program. For instance: it should at all times be obvious what API endpoints are part of the bug bounty hunt, and which ones are out of scope.

But regardless of the initial bumps in the road, the benefits of using HackerOne clearly outweighed any disadvantages.

Safer than ever before

Fairly compensating the security community for finding flaws in our products is vital to us. We believe that using the HackerOne platform for the entire process, from the initial report to bounty payout, has made our products and services safer than ever before.

We’re also working on expanding the current bug bounty scope to include features and services that are in non-public beta. We aim to go forward with the expansion in close relationship with security researchers that have previously found security vulnerabilities in our products.

While we still continue to do traditional penetration testing of our services, we feel that adding HackerOne into the mix creates an overall more secure product. That’s good news for both our customers and us.