It may sound counter-intuitive, but unleashing hackers on our products has made them more secure than ever. Here’s why.
If it’s on the internet, someone will eventually find a vulnerability in it. The question is: Will it be a “good guy” who finds it, or a bad one?
Enter bug bounty programs, which aim to ensure it’s the former and not the latter. Bug bounties incentivize so-called “ethical hackers” (also called “white-hat hackers”) to find and report vulnerabilities in exchange for a reward. That way you can patch up the flaw before anyone with malicious intent finds it and exploits it.
Cybercrime is arguably one of the biggest challenges facing businesses today. Two-thirds of some 1,500 IT executives surveyed by the Center for Strategic and International Studies (CSIS) and McAfee reported experiencing a cyber incident in 2019. Businesses are spending heavily to defend themselves in response, with worldwide outlays reaching $145 billion in 2020.
Bug bounties are a lot cheaper than a hostile hack
According to CSIS and McAfee, cyber incidents cost the global economy nearly $1 trillion in 2020 alone—nearly double the toll just two years prior. Those costs play out not just in the form of cleanup operations, but in indirect ways like lost time and productivity, reputational damage, and system downtime (18 hours on average per incident). All told, cyber attacks are expensive—so businesses (including ours) want to avoid them at all costs.
Turns out it’s much cheaper to proactively find vulnerabilities by paying bounties to white-hat hackers than it is to fall victim to cyber crime. The bounties themselves vary according to the severity of the vulnerability uncovered. In our case, bounties range from $100 for smaller bugs (e.g., cross-site scripting) to $1,500 for larger ones (e.g., remote code execution).
We follow Bugcrowd’s vulnerability ratings to assess severity. We like the sliding scale of payouts because it encourages hackers to find the most critical flaws first. That way, hackers’ earnings are tied to the size and severity of the risk they mitigate for us.
Donning our white hat with Atlassian’s Bug Bounty program
We joined a bug bounty program in early 2020 following an invitation from Atlassian to trial it with their partner Bugcrowd. We were eager to join, and the results turned out to be exactly what we hoped for: We quickly found that ethical hackers were extremely creative and resourceful in finding ways to exploit our product.
Since we launched the program, hackers found vulnerabilities ranging from cross-site scripting to cross-site request forgery.
The hackers also pushed our cloud environment to its limits, testing our resilience against events like DoS attacks. This led to us to increase our investment in areas related to reliability, runtime and scalability to ensure that our products meet customers’ high expectations and the 99.9% up-time required of Atlassian’s Cloud Fortified designation.
Nowadays, a bug bounty program is a requirement to be eligible for the Cloud Fortified badge, and that invite-only trial we participated in back in 2020 has morphed into Atlassian’s Marketplace Security Bug Bounty Program. All of Refined’s cloud apps meet the requirements for both.
Atlassian’s Bug Bounty Program
Atlassian’s Marketplace Security Bug Bounty Program requires participants to:
- Agree to join Atlassian’s bounty program in Bugcrowd
- Pay out bounties according to a five-tier severity scale, ranging from $100 to $1,500
- Respond to vulnerabilities within Atlassian’s security SLAs
- Accept or reject reports from Bugcrowd no more than two weeks after they’re filed
Hack for us via Bugcrowd
Fewer vulnerabilities in our cloud products, better infrastructure, and increased awareness around security among the members of our development team are just a few of the benefits we’ve seen from joining Atlassian’s bug bounty program.
Our bug bounty program is currently private. If you want in, please send an email to firstname.lastname@example.org including your Bugcrowd user name and we’ll add you to our roster of eligible hackers.
Janette Hagerlund is Refined’s Chief Operating Officer and heads up cloud security initiatives company-wide.