Yesterday I spoke with InVision’s VP of Information Security, Johnathan Hunt, about the vulnerabilities that are often left by traditional security assessment methods and the benefits of a bug bounty program.

In addition to recapping key points from the webinar (you can watch our recorded webinar here), this post will highlight InVision’s security program and how a bug bounty fits in to improve the overall security of their products.

From Doubter to Disciple

Johnathan has a story many bug bounty converts will find familiar. Before he had first-hand experience launching and running a bug bounty program, he doubted their legitimacy and potential success. Over time, however, he was overburdened by the struggle of juggling vulnerability detection with a slew of other responsibilities–especially in a time where continuous vulnerability assessment is so difficult:
Bug bounty programs seemed to offer a creative solution for companies small and large still facing breaches with tens of millions of compromised records.
 
“Look at the high-profile breaches that have made headlines over the last five years and ask yourself if you think they did annual pen tests.  With a bug bounty program, your opportunities at finding those critical, hidden holes are significantly improved.” – Johnathan Hunt, InVision

Transitioning to a Managed Bug Bounty Program

Quickly after launching their self-managed program, the InVision team was overwhelmed with managing the volume of submissions. From communicating with researchers and replicating vulnerabilities to coordinating development time and effort to deploy solutions, they recognized a need for an alternate option–hire additional staff or augment this workload another way.
In launching their managed program with Bugcrowd, much of that work was offloaded from the InVision team. Bugcrowd’s platform and team of experts provide bug triage, validation, de-duplication, prioritization recommendations and handle all communication.
“For us, the managed approach reduced our required time and effort by at least 80% allowing us to not only focus on what matters the most, implementing the remediations but also freeing up our security team to focus on other components of our security program.” – Johnathan Hunt, InVision

Learnings

The InVision team has learned a lot from engaging with tens of thousands of security researchers around the world.
  • Volume of submissions: From the get go, the InVision team has received a wide array of submissions through the bug bounty program. By tuning their program, they’ve been able to eliminate areas of lesser concern from their program scope.
  • Continuous testing: Through this 24/7 coverage, the opportunities at finding critical, hidden holes are significantly improved and aligns more closely with their development cycles.
  • Working with development teams: Their engineers have responded to the bug bounty program with open arms because it optimizes their time and helps to identify recurring themes of coding issues.
  
“Simply put, the bug bounty program has been the best method I’ve found to identifying coding issues as quickly as possible.” – Johnathan Hunt, InVision

It has been a pleasure learning more about InVision’s journey implementing and adopting a successful managed bug bounty program.