This guest blog was authored by the StackPath security team.
StackPath is a platform of secure edge services that enables developers to protect, accelerate, and innovate cloud properties ranging from websites to media delivery and IoT services. As a leading CDN offering enterprise-grade security and performance, security has been a core part of our DNA since inception. Accordingly, we are hyper-focused on prioritizing internal security operations for seamless delivery and solution support, at scale. We believe it’s the right thing to do for our customers, company, and the market at large.
Prioritizing security feedback
Over the years, StackPath has built a comprehensive Vulnerability Management Program, including integrated scanning, pen testing, internal testing, QA, and even an internally managed vulnerability disclosure program. However, as we grew, we were looking for ways to scale the impact of our solutions, formalize external security feedback, and better reward and engage the global researcher community. In 2018, we found Bugcrowd.
The value of “non-critical” submissions
Bugcrowd’s managed Vulnerability Disclosure Program (VDP) has provided a layer of scalability we were missing in our previous self-managed approach, freeing our security team to better connect with the researcher community that has been so instrumental in our overall security operations. It’s also afforded us the time to really unpack each submission in order to better orchestrate response. Interestingly, while P1 vulnerabilities are objectively the “most critical” as determined by the Vulnerability Rating Taxonomy (VRT) and Bugcrowd’s managed validation and triage process, some of our most valuable vulnerabilities have actually been P3 and P4s. These submissions have clearly taken a remarkable level of creativity to uncover, and thus have served as an excellent tool for security and development training efforts.
To our researchers
If we could tell our security researchers one thing, it would be, “Thank you!” We assure you that regardless of rank, every valid vulnerability is prioritized for response by our team. The variety of issues reported have really helped our developers think more critically about the way they build solutions, truly changing day-to-day operations for that team as a whole. We’re also always changing and expanding our infrastructure, so if it’s variety that interests you, we’ve got you covered!
Additionally, StackPath observes partial safe harbor to ensure both StackPath and our contributing researchers are fully aligned in researcher testing protections as well as exactly what can be tested. We understand submitting vulnerabilities to other organizations can be intimidating at best, and personally damaging at worst. We don’t want to penalize anyone attempting to do the right thing.
Bugcrowd has really helped us up-level organization-wide commitment to security best practices, and introduced many parts of our business to the value of white hat hackers. We are extremely grateful to our hackers and their commitment to making our digitally connected world a safer place.
We’re excited to have Bugcrowd manage our Vulnerability Disclosure Program. You can find the VDP page here.