Why We’re Paying You to Hack Us
Every organization faces security vulnerabilities.
Bug bounty programs let ambitious, ethical hackers turn security bugs and flaws into cash. Our program with HackerOne does exactly that, crowdsourcing the discovery and reporting of LaunchDarkly security vulnerabilities in exchange for compensation. The goal is to help fix security problems before they are found and used by attackers with more nefarious aims.
LaunchDarkly’s Director of Security, Alex Smolen, has been helping run bug bounty programs for years. These days, he says, it’s easier than ever to set one up using a service like HackerOne, which takes the hassle out of communicating your program rules, coordinating with researchers, and issuing payouts. In fact, HackerOne even offers a triage service so LaunchDarkly only receives reports that have been independently validated.
LaunchDarkly’s Director of Security, Alex Smolen
Smolen says he expects to keep the LaunchDarkly bug bounty program running indefinitely, while raising payouts as security improves and flaws become harder to find. We asked Smolen some other questions about the bug bounty program, which you can read below.
LaunchDarkly: What made the security team decide on a public bug bounty program in the first place, as opposed to just trying to discover and handle all vulnerabilities in-house?
Alex Smolen: When you build a complex software service like the LaunchDarkly feature management platform, you can’t just scan for known vulnerabilities and call it a day. You need skilled testers to find novel and difficult-to-exploit bugs. By operating a bug bounty, LaunchDarkly can tap into the pool of dedicated external security experts and harness the power of the crowd to give us visibility into our security posture. That frees up our team to fix these vulnerabilities and build tools to prevent them from being introduced in the first place.
LD: What are the benefits of this program and how does it help us achieve our security goals?
Alex: With security, knowing is half the battle. We can’t invest effectively in risk mitigation if we don’t understand where risk is being introduced. Our bug bounty ensures that someone is always looking for things we might otherwise miss. We can use it as a feedback loop to prevent similar problems in the future.
Bug bounties are also great for measuring security effectiveness. If you can raise the amount of money you pay per vulnerability while keeping a steady budget, it means vulnerabilities are harder to find. That lets you know you’re doing a better job securing your system.
LD: This program started out as a private project first, before going public. Can you talk about when the private program started and why you decided to go public?
Alex: If you go public with a bug bounty, you’ll get a lot of reports all at once. This can easily overwhelm a security team. We wanted to start with a set of trusted researchers and ramp up the numbers as we ironed out our processes. As soon as we felt like we had a handle on triaging and fixing our vulnerabilities reliably, we wanted to include as many researchers as possible to get the best visibility into any vulnerabilities that exist in our platform.
LD: Generally, what sorts of vulnerabilities should participating hackers in the public program be looking for? Any particular areas of focus or tips?
Alex: I’ve found that “business logic”-type vulnerabilities—related to an unexpected order of operations or broken access control—tend to be the most impactful. We feel relatively buttoned up when it comes to the standard input validation and system configuration problems. That’s why we’ve invested in making sure that our hackers have access to all the features that we support in our plan. If people don’t have a good test environment, they’ll have to focus on shallow bugs, which don’t tend to be very meaningful for us.
LD: Any potential taunts you’d like to direct at hackers in our program to help get them fired up about discovering security flaws?
Alex: After several years in security, I know better than to make any claims about something being unhackable. I would say that we want to be a great partner to our hackers—setting them up with the access they need, reviewing their reports quickly and thoughtfully, and paying out big bounties commensurate with the effort and skill required to find security bugs. So, yeah, we dare you to hack us!
To learn more about LaunchDarkly’s commitment to ensuring your data is safe, check out our Security page.