Frontify’s bug bounty program: How hackers make us safer
It's time to bug off: In early September, we launched our first bug bounty program on Bugcrowd. Find out how ethical hackers help our InfoSec & IT teams find vulnerabilities to protect brand builders against cyberattacks.
At Frontify, we know about the importance of information security and have tried-and-true mechanisms and policies in place to protect assets, data, and customers. However, the more we rely on the digital world, the more we invite vulnerabilities into our environment: Security measures that worked yesterday might introduce weaknesses today. To provide the best and most secure platform to help brands thrive, we need to be one step ahead of ever-evolving cyber threats.
Penetration tests versus bug bounties Our developer team has grown dramatically in the last two years — and so has our product. We asked ourselves if classic penetration tests still do us justice. In our case, one to two testers performed a test for about five days and generated a report. The problem with this process was, and still is, that with such a small team, we only got one or two sets of skills at a time. Another aspect that’s even more important: After the test, the application could already have new vulnerabilities.
If classic pen tests are not providing enough relevant results, what’s a more efficient solution? Get an internal pen tester? Do even more pen tests with different companies? We concluded that none of these solutions use our resources effectively, so we looked into a different approach: a bug bounty.
A bug bounty is a monetary reward given to ethical hackers for successfully discovering and reporting a vulnerability or bug to the application's developer. Bug bounty programs allow companies to leverage the skills of the hacker community to continuously improve their systems’ security posture. Providing tens of thousands of highly skilled security researchers with access to our platform so that they can “snoop around” was exactly what we needed.
After various conversations and demonstrations with different programs, we decided that Bugcrowd would work best for our needs, technical setup, and budget. To gain some experience, we started with a private program and narrowed the scope for the launch to the web application and the API. Our goal is to have the entire Frontify ecosystem in scope by Q1 2023.
Advancing a secure brand evolution The first results of the bug bounty are impressive: Within the first month, we invited over 30 testers to our program, and they found vulnerabilities that had been in the system for a while and that none of the over 20 classic penetration tests could locate. The bounties we currently pay are determined by the severity level and vary from $150 to $3000.
Just as brands evolve, information security must also be in a constant state of evolution and improvement. We’re thrilled to have taken this step and look forward to making the bug bounty program public at some point: That way, everyone who is interested in Frontify and our security processes can perform their own tests on the platform.