SEEK Shows Commitment to Security with a Managed Public Bug Bounty
Bug Bounty Program
Technology
SEEK is Australia’s number one employment marketplace, bringing together a strong portfolio of online employment, educational, commercial and volunteer businesses. SEEK operates across 19 countries with exposure to more than 4 billion people. At SEEK, users’ security and privacy is paramount. The company takes every precaution to protect its information so that it can focus on bringing innovations to market through its products and services.
With an expanding attack surface and highly motivated adversaries, SEEK recognized it needed to create a consolidated channel for vulnerability reporting and improve internal and external security testing practices. To achieve this, they tapped Bugcrowd’s platform and community of white hat hackers, launching its crowdsourced security program in 2016.
To power the SEEK platform over the years, the team had incorporated varying technology stacks and “backend” systems for managing different parts of the business. Combine that with the highly sensitive user data shared on SEEK, and you have your hands full with creating a dynamic and effective application security program that incorporates security and privacy at every level.
SEEK does a number of things to help secure its platform, including:
Even with all these security layers, SEEK needed to ensure its diverse systems and data were tested further with a bug bounty program to catch vulnerabilities that slipped through our other controls. SEEK started working with Bugcrowd in June 2016. To get the business comfortable with running a bug bounty against the production systems, SEEK started with a small limited scope. This approach proved very successful and allowed the company to increase the scope of the program over time. After running a wider scope private program for a few years, SEEK took the program public in 2019.
Unlike a scheduled penetration test, time is not a factor. And given the number of researchers on the Bugcrowd platform this means eventually the majority of customer facing applications end up being discovered and further tested. This allows us to ‘even up’ the playing field between security testers and the technology teams.
Zac Sims, Security Engineer
By evolving to a public bug bounty program, SEEK gained a force multiplier of hackers, which increased the number of new findings, as the company’s targets were exposed to more hackers with an even bigger array of skill sets, perspectives and abilities.
With a public program, SEEK also increased awareness of its security maturity among its users. This demonstrates the company’s commitment to protecting digital assets and responding to known risks.
Over the course of both the private and public programs, SEEK has been able to maintain strong engagement across targets. Bugcrowd has enabled SEEK to identify “patterns” of vulnerabilities that no one else had. These patterns may only be visible over months or weeks and will typically be in more than one system.
Identifying these patterns has allowed SEEK to establish secure defaults, that prevent these classes of vulnerabilities across all of its applications and services. The SEEK security team reviews bug bounty submissions weekly, which allows them to further identify patterns and fix these issues before they occur. SEEK’s crowdsourced security testing coverage is wider than their normal testing processes, so they were able to get valuable findings from the older, less front-of-mind, systems. For more information on SEEK’s bug bounty program, check out this blog post.
TX Group AG is a media company headquartered in Switzerland. Through a portfolio of daily and weekly newspapers, magazines and...
Amidst increased focus on cybersecurity in Australia, Monash has continued its legacy of leading with technology. It is the first...
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.