Two years ago, Sendbird launched a Managed Bug Bounty engagement with Bugcrowd. Sendbird’s public bug bounty program helps them uncover and address a wide array of security vulnerabilities. Over those two years, they’ve rewarded over $53,000 to ethical hackers and found over 500 vulnerabilities.

According to Seongjin Hong, Staff Security Engineer at Sendbird, “Our bug bounty program plays a crucial role in safeguarding our systems.” We recently sat down with Hong to get a few insights into their success.

Q&A with Sendbird

Tell us a little bit about Sendbird

Sendbird is an award-winning communication platform used by the world’s most popular mobile apps. Its AI customer service agent elevates the customer experience and enables businesses to have meaningful customer connections at scale.

What inspired you to launch your bug bounty engagement?

As a SaaS company where our customers trust us with their information, security has always been paramount for us. We have a strong internal team that recognizes the value of leveraging hackers around the world to supplement our efforts to keep our customer data safe.

Initially, we started with an inbound email program and quickly pivoted to a vulnerability disclosure program (VDP). Starting with a VDP before launching our bug bounty program was a great way to test the waters. The VDP allowed us to create an internal runbook and experiment with workflows to figure out what works best for us before launching the bug bounty program. 

What results have you experienced?

Our bug bounty program has been instrumental in uncovering a variety of security vulnerabilities, including RBAC (role-based access control) issues, web vulnerabilities like XSS, CSRF, and SSRF, and vulnerabilities that could potentially compromise user confidentiality. By proactively identifying and addressing these issues, the program has significantly enhanced the overall security of our service and protected our users’ sensitive information. Our bug bounty program has provided us with excellent value for the money.

We take great pride in the program’s success in uncovering a wide range of vulnerabilities, which has significantly bolstered the overall security of our products. We are proud to be able to work with and support independent security researchers across the globe.

Why do you keep working with Bugcrowd?

We originally chose to partner with Bugcrowd over other solutions because Bugcrowd’s Platform had features and support that were the best fit for our needs. Their Support team helps us operate our program successfully and the Bugcrowd pricing model is a great fit for us.

Bugcrowd’s Platform has been essential for us to efficiently run our bug bounty program with significantly less internal resource utilization, which enables us to focus our efforts on improving other areas of our security posture. Their platform handles many of the administrative tasks involved in running a bug bounty program, including the validation of submissions, filtering out duplicates, ranking vulnerabilities by severity, , managing communications with hackers, and complexities of international payments to researchers. This allows our security team to focus on remediation and other business-critical tasks.

Overall, our collaboration with Bugcrowd has reduced the operational burden and allowed us to focus on security enhancements.

What would you like to highlight about your bug bounty program?

We really prioritize the hacker experience in our engagement. We focus on prompt hacker payouts, which is one of the reasons why we’ve seen great success with the program and a steady stream of submissions, even after two years of operation. We try to issue bounties well within five days for all valid reports.

The hackers who help keep Sendbird secure

Public bug bounty engagements like SendBird attract thousands of hackers daily. However, most programs have a few stand-out hackers who become specialists with the company they’re hacking for. Saaanp has filed the most valid reports with Sendbird, and Foobar7 has reported the most critical vulnerabilities with Sendbird.

When asked why hackers should work on the Sendbird engagement, Hong said, “Sendbird’s security team has a number of security professionals who were previously bug bounty hunters and understand how the program works from the other side. We really value the hacker community and aim to establish lasting relationships with them. Our program is designed to be engaging with hackers in mind, making their participation more interesting and valuable.”

We’re so happy that the Bugcrowd Platform and hacker community have been so instrumental in helping Sendbird identify and resolve security vulnerabilities.