Upwork’s senior information security engineer reveals how a public bug bounty program helps reassure clients and keeps the company’s critical platform secure

In today’s fast-paced world, organizations need a fast-paced solution to finding skills and resources. The Upwork platform was launched in 2015 to connect corporate clients with freelancers across the globe. But to safeguard its services and reputation, Upwork must ensure this ground-breaking platform is safe from security breaches and malicious attacks.

We spoke to Alex Bod, Senior information Security Engineer at Upwork, about how he’s helping to keep the company’s business-critical solutions safe with a public bug bounty program.

Tell us a bit about Upwork

Upwork is a flexible talent solution, operating across over 180 countries. We connect organizations to experts in a wide range of fields, from software development and design, to marketing and accounting. Our proposals process, online workspace, and payment protection means teams across the globe can work together easily and with greater confidence. I’ve been there since 2017 in my role as an information security engineer, and it’s a very innovative and rewarding place to work.

Why does Upwork rely on crowdsourced security to protect its platform?

In my opinion, crowdsourced security is the best way for us to find vulnerabilities – it’s on a completely different level to standard pen testing. We have a public bug bounty program with Bugcrowd, which means that we have access to an entire crowd of ethical hackers, all working to locate bugs within our platform. Without that breadth, we’d never be able to find such a wide range of vulnerabilities so quickly.

How does working with Bugcrowd help reassure your clients?

Our larger clients, in particular, are really hot on security. We hold a lot of confidential and sensitive data, so we need to be able to demonstrate to clients big and small that their information is safe with us. By working with Bugcrowd, we can show that we’re committed to the highest levels of security, and provide our clients with reports that prove it. It’s a no-brainer for us, so we’ve always had full support from the board in choosing crowdsourced security.

What successes have you seen from the program so far?

We’ve been running the program for nearly two years now, over which time we’ve fixed and closed more than 429 bugs and vulnerabilities. It’s a seamless process – researchers file their submissions, Bugcrowd’s triage team validates them and passes them to us for resolution. Once we’ve fixed a bug, we ask the hacker who found it to re-test and mark it as fixed if appropriate. Sometimes, if a researcher has put a lot of work in, we reward them even if the submission isn’t valid.

What’s it like working with Bugcrowd?

Our program managers are great! They’re really supportive and helpful. And the program health dashboard means we can always see the value we’re getting at a glance. I don’t think there’s a better way to find vulnerabilities.

“By working with Bugcrowd, we can show that we’re committed to the highest levels of security, and provide our clients with reports that prove it.” Alex Bod, Senior Information Security Engineer, Upwork

Based in Kiev, Ukraine, Alex is an expert in information security with 11 years’ professional experience. To find out more about Alex and his love of Unix, artificial intelligence, and music, you can read his blog here https://www.alexbod.com/.