Bug Bounty Program
I got an email the other day with the following subject line:
Critical Vulnerabilities Identified in Your Application
That SOUNDS like an alarming discovery, and if it was true it would be. But this is the stuff of a form letter that gets thrown around fairly regularly by self-described “security researchers” and “ethical hackers”.
I shouldn’t even put those terms in scare-quotes: folks who find genuine security holes and practice responsible disclosure to get them resolved are doing a great service! And they deserve to be rewarded.
The email continues:
Hello,
I hope you’re well.
I have identified security weaknesses in your application that may pose risks to user data security and operational stability. It is crucial to address these vulnerabilities promptly to mitigate any potential impacts. Could you please provide a suitable contact point so that I can share detailed findings with your team for immediate attention and resolution?
If your organization has a Bug Bounty program, please share the necessary information for participation. If not, I am committed to collaborating with you to enhance your application’s security posture.
Thank you for your prompt attention to this matter. I look forward to your response.
Best regards,
[name redacted]
Sounds good! I appreciate the thoughtful intentionality here.
But here’s where the “genuine” part of “genuine security holes” often breaks down. This is a form letter, with no mention of any specific issue. In my experience, in every single instance these have turned out to be concerns over best practices without any evidence of an exploitable vulnerability. MAYBE my new security friend was just withholding those details until connected with a suitable contact, but I wasn’t holding my breath.
Still, as a responsible steward of everyone’s data in CoachAccountable land I do indeed owe it to everyone to make sure I’m staying on top of things and ensuring the security of that data.
This time, instead of responding in the usual way to ask further details (likely wasting time entertaining the non-impactful nit-pickery of someone who doesn’t necessarily know that this isn’t amateur night) I figured:
You know what? It’s time CA had a Bug Bounty program.
Let me do this concerned party (and all others to follow) one better by creating a bug bounty program that lays out real cash rewards for genuine issues that may be discovered, making it clear once and for all what counts and for how much.
It now lives here:
https://www.coachaccountable.com/bugBounty
Here are the rewards:
The Bug Bounty program also makes clear a long list of non-meaningful reports that are out of scope. As I explain there:
This is a long list. It reflects common “vulnerability” reports that either depend on the unsafe/insecure behaviors of other users (which we cannot control) or are merely ostensible “best practices”, the violation of which cannot actually be meaningfully exploited.
It’s nice to have that in place! I figure I’ve already done the hard work of securing CA to the point that I’m truly willing to back up that claim of security with real dollars, therefore only good can come of standing by that claim publicly, and inviting whomever to show me otherwise.
With that up and published, I was able to respond thusly:
Hi [name redacted],
I’m well, thanks!
You can find the details of our Bug Bounty program here:
Cheers,
John
Nine days later, I haven’t heard back. It must not have been that important.
But I will be very happy to learn of any genuine issues that anyone is able to find, and pay out accordingly. :)