CM Group Extends Its Security Team With Bug Bounty ProgramDownload Case StudyFrom retail companies and news agencies to educational institutions and political organizations, effective email marketing is an essential tool in today’s world.CM Group is a collection of industry-leading email marketing platforms: each brand caters to a different B2B or B2C audience by providing email sending and creation platforms, e-commerce integrations, dynamic personalization and/or professional services for various business sizes in numerous industries.With platform data including email addresses and personal information, protecting its solutions against security threats is a priority for CM Group. “Several customers conduct business with two or more of the CM Group brands to address different needs within their business so the repercussions of losing their trust would be felt across the entire group”, confirms Agathe Savard, Global Security Manager at CM Group. “We have a responsibility to protect our platforms in order to follow GDPR (General Data Protection Regulation) guidelines and provide peace of mind to our customers.”Subject to numerous mergers and acquisitions over the last 10 years, CM Group is constantly growing and evolving, and needs a responsive and flexible vulnerability management program that can keep up. Annual pen testing has always been a key part of the company’s security strategy, but as this only addresses vulnerabilities at a particular point in time, and the company was keen to adopt an ongoing approach.“As an agile software company, our code is updated all the time,” explains Agathe Savard. “We decided to transform the way we approached security to become more proactive and better meet the needs of the business.”Seamless integrations and automated notifications simplify security processesIn August of 2016, Campaign Monitor, the original CM Group brand, decided to work with Bugcrowd, starting with a two-week Flex program. “We came to Bugcrowd with a laundry list of items to focus on. The exercise helped us understand our weaknesses better and was a pivotal point in maturing our security program,” comments Savard.The company now has multiple ongoing private bug bounty programs, which are a core component of the security strategy for all CM Group brands. The company’s marketing sites, web applications, and API are all included in the programs. “We get quality findings, ongoing testing, fresh eyes, and new angles at attempting to exploit our platforms every day,” says Savard. “It’s a no-brainer in terms of value to the business.”Once a researcher has made a submission it is validated, replicated, and a Jira ticket is created which goes directly to the engineering team that owns the area affected by the issue. Fixes are tested internally, validated by the internal security team, and deployed to production for re-testing by the same researcher who submitted the finding.With seamless technology integrations and automated notifications, working with Bugcrowd has simplified security workflows across the entire CM Group portfolio, making it easier to share information between teams and faster to implement fixes. The company has also adopted Bugcrowd’s Vulnerability Rating Taxonomy (VRT) inhouse to ensure a clear, standardized picture of priorities regardless of the reporting source, which helps save time.More about the Interviewee Agathe Savard is responsible for product and security engineering for all CM Group companies. She has 15 years of IT and security experience across medium and large enterprises.Industry TechnologyBugcrowd Product Managed Bug Bounty, Vulnerability Disclosure ProgramChallenge A key challenge for CM Group was that, as the company grew through mergers and acquisitions, the cost of outsourced penetration testing became outrageous and provided very little value given the limited point-in-time snapshot it provided. The model simply didn’t match that of an agile software development company and didn’t satisfy the desire to deliver a good assurance program with a strong ROI for the business. Additionally, though CM Group had good in-house security expertise, it became challenging to deliver these services at scale across all brands.OutcomesBetter access to security skills and expertiseFaster vulnerability identification and remediationCost savings of tens of thousands of dollarsPeace of mind for customersWe now have greater peace of mind that our platforms and data are protected, which is invaluable to the business and our customers.Agathe Savard, Global Security Manager, CM GroupPeace of mind for the business and its customersWorking with Bugcrowd means that the CM Group Security Team has access to knowledge and expertise that extends beyond the boundaries of the in-house team. They treat the Bugcrowd researchers as an extension of their security team and encourage the building of relationships with the testing community. “The shift from traditional pen testing to bug bounty programs has saved us tens of thousands of dollars every year, delivering great ROI,” confirms Savard. “The partnership with Bugcrowd provides so much more than just security findings – we now have an extended team that helps us test our sites and applications, and even find the right fix in some cases.”The Bugcrowd platform also provides reporting and trend analysis so Campaign Monitor’s team can prioritize issues to ensure issues with the greatest potential impact are dealt with first and simplify risk remediation.“Running bug bounty programs as part of our security arsenal has delivered well beyond the original use-case,” comments Savard. “We’ve continued working with Bugcrowd because of its fantastic client support experience, and the great researcher relationships we have established thanks to the platform. We now have greater peace of mind that our platforms and data are protected, which is invaluable to the business and our customers.”If you are interested in learning more about the CM Group, click here.More about the IntervieweeAgathe Savard is responsible for product and security engineering for all CM Group companies. She has 15 years of IT and security experience across medium and large enterprises.