This blog was written by Stu Hirst, Head Of Security Engineering, Photobox Group
I’ve been a believer in the power of the bug bounty model since 2015 when I ran my first 2-week program with Bugcrowd. During that program the researchers found 149 vulnerabilities! Nearly 50 of which were valid and in scope. That was a level of vulnerability submission I had not seen previously in pen testing.
At Photobox, we have a dedicated Application Security Team who do great work in a number of important areas. We threat model applications and architectures, we pen test and use existing crowd-sourced testing mechanisms across our brands. We have Security Champions across the business who assist us with finding and fixing vulnerabilities of all kinds and we also perform Red Teaming. It’s a major area of continued focus for the Group and our external disclosure and then bug scheme will be paramount to maturing our security posture.
We hugely value the submissions that are submitted to us and we want to be fair and consistent in our response. We see the researcher community as paramount to improving the security of our applications and fundamentally protecting the internet for the next generation. This is why we turned to Bugcrowd.
Historically, we have handled researcher submissions internally; however we wanted to streamline this process. Leveraging the Bugcrowd platform, which is scalable and allows us to not only have a level of comfort that there is quality in bug submissions, replication and triaging, but also to help us manage the relationship with researchers. Bugcrowd’s Vulnerability Rating Taxonomy is also very helpful in us deciding the priority of fixes, whilst being fair to researchers in rewards.
We’re proud to be working with an industry leader in this space and our plans into 2019 are to develop an ongoing program of bug reward.
Our first step with Bugcrowd is to manage our Responsible Disclosure via a vulnerability disclosure program. This will allow existing researchers who are on the platform, to be rewarded with points for their findings. We will be asking all those who currently submit to us, to use this mechanism.
In 2019, we plan to establish a full bug program with cash and points reward through Bugcrowd. Whilst we would like to offer cash rewards immediately, this isn’t a scheme which can be rushed, as we need to ensure we have the internal mechanisms and support to effectively manage such an ongoing large piece of work. We truly value the patience shown to us by our existing researchers as we embark on this journey. It’s the right thing to do and we’re excited as to what we can achieve together.
Bugcrowd is one of the game-changing companies in external vulnerability testing which has raised the bar for companies and researchers alike. Photobox Group and our Group Security team are extremely excited to be working with Bugcrowd to help us develop and mature our responsible disclosure and bug program.