This year, one of our favorite customers will be speaking at one of our favorite conferences where they will discuss why they implemented a bug bounty program, and how the results and learnings have influenced their internal security culture and testing processes.
If you will be at LASCON in Austin, Texas this year, be sure to catch Charles Valentine, VP of Technology Services at Indeed, talk on Friday at 1 pm. If you won’t be at LASCON, we have you covered. This post offers a preview of what went into the launch Indeed’s bug bounty program and provides a snapshot of the results and findings to date.
In mid-2014, Indeed recognized that they needed to create a consolidated channel for vulnerability reporting for researchers and improve internal and external security testing practices. To achieve this, they tapped Bugcrowd to help them leverage the power of the crowd and launched their bug bounty program May 22, 2014.
“We always consider the security of our systems as we develop the services that millions of people use every day. But someone will outsmart us. Hackers are always trying out new ways of bypassing security and gaining access to systems and information. Our challenge: to bring these security experts over to our side and benefit from their findings.”
Read more about their experience launching a bug bounty program in their recent blog post.
Since May of 2014, they have gotten more testing coverage than ever, uncovering more unknown vulnerabilities than they could have possibly done with their existing testing resources.
In the two and a half years that Indeed has run their bug bounty program, they have…
Indeed has demonstrated tremendous commitment and success. Not only have they received consistent and high-level activity for a sustained amount of time, but they have also garnered trust and loyalty for several of the top researchers in the community, as proven by their nomination in our recent Buggy Awards for ‘Best Program – Researchers’ Choice.’
They have demonstrated transparent communication with submitting researchers, have increased payouts over time, and have committed to responding quickly to researchers, resulting in the volume and quality of submissions they’ve received.
What is more, because of their longstanding program, they have identified trends that have enabled them to evolved and improved their program over time.
We’ve seen that over time bug bounty programs naturally fluctuate up and down depending on changing program variables. Indeed’s program is no different.
For example, if you split up their program in two, comparing the first half of their program (May 2014 to August 2015) to the second half (August 2015 to today) some basic trends emerge.
In two years, Indeed has done a great job keeping researchers engaged, while making more out of their continuous investment in the researcher community. They have increased their payouts, have made adjustments internally to process submissions more effectively, and have constantly committed to making their bug bounty program even better.
“…we’re working on balancing the time we spend finding new bugs and fixing known bugs. Building and managing a popular bounty program leads to lots of good submissions, but that all falls to pieces if we don’t also spend the time fixing the bugs. At Indeed, the benefits of investing time improving our bug bounty program can’t be overstated.”
Read more about their bug bounty learnings in their recent blog post.
Learn more about their success, catch Charles’s talk this Friday at LASCON, and stay tuned for the recording of Charles Valentine’s insights and advice for those looking to run a bug bounty program.