Reddit's Bug Bounty Program Kicks Off: Q&A with Reddit's Allison Miller and Spencer Koch, and Top Program Hacker @RENEKROKA
We sat down with Reddit’s CISO and VP of Trust Allison Miller, resident Security Wizard Spencer Koch, and Reddit’s top hacker Rene Kroka to learn more. Read on to discover the secrets to Reddit’s bug bounty success, explore their goals and key results, delve into how they use hackers to scale security across software development, and gain a unique perspective about what it’s like to hack one of the world’s leading social networks.
Q: Tell us who you are.
Hi, I’m Allison Miller, I lead the teams that protect Reddit and Reddit users. I’m still fairly new but I’m excited about the work we are planning to do with our community to make Reddit better - and a bug bounty program is a natural extension of that commitment - in this case with researchers who can help us find security flaws we might have missed.
And I’m Spencer Koch, Reddit’s Security Wizard heading up our application security team and have been with the company for a year and a half. I oversee Reddit’s bug bounty program and work closely with our security researchers and developers to protect the integrity of the platform and keep security bugs out. Previously, I was the NA CISO and global offensive security director for a global energy company and a security consultant prior to that.
Q: Tell us a bit about Reddit and why cybersecurity is so important to your business.
Allison: Reddit is a network of communities where people can find different experiences built around their interests, hobbies, and passions. Whether you’re asking a question about space in r/AskScience or scrolling through cute animal pictures in r/aww, there’s a community for everyone on Reddit.
We also do not require you to share your email or name when creating an account, so the pseudonymity of the platform allows people to have authentic and candid discussions without needing to reveal their “real world” identity. (Of course, as the cyber nerd in chief, I would really love for you to add and confirm your email account and sign-up for two-factor authentication, so we can help you keep your account secure). User privacy is a deeply embedded value at Reddit and is very important to our users as well. As our platform continues to scale and grow, our priority is to ensure that users and communities continue to have a safe and secure experience on Reddit.
Q: Tell us how your hacker-powered security program has evolved over time?
Spencer: Reddit has always leveraged the community to help find and fix bugs in the platform, and funny enough, that’s how we’ve found several of our engineers to help improve platform security over the years. The evolution of our Security team really started back in 2018 when we formalized our private bug bounty program. As our platform has grown in size, relevance, and feature set, we’ve also scaled the program alongside it by expanding its scope, improving our bounty payouts, and supporting security researchers with context and insight into how Reddit works.
Q: What made you decide to launch a public program? Why now?
Spencer: It’s the natural evolution of things. Taking the program public has been a goal of mine since I joined Reddit, and with the continued growth of our engineering headcount and applicable scope, we needed to open up the program to get enough researchers to cover all of Reddit. And also not miss out on unique skill sets that each researcher brings to the table.
Q: What’s most exciting about hacker-powered security to your team?
Allison: Everyone at Reddit plays an important role, and that’s what is awesome about Reddit: we have built a culture that’s aware and appreciative of security, and we empower our developers to make smart decisions regarding security topics. There are never enough security engineers to go around, and so leveraging the smarts of independent security researchers frees up engineering cycles for other work, since we have that additional external help on testing. Hacker-power helps us find meaningful bugs across the spectrum, from old-fashioned security vulnerabilities like XSS to business logic issues with Reddit’s authorization systems, to finding conflicting or confusing documentation around our APIs and site features.
Q: How have hackers helped you? Any surprising outcomes so far?
Spencer: Reddit has been around for more than 15 years and there’s a lot of cruft that’s built up over that time. I remember my first few weeks at Reddit we had some submissions around a product feature Reddit Live that I’d never even heard of. Just last month we had a submission on a long-deleted Chrome browser extension that had three-year-old code in an S3 bucket with an XSS vulnerability in it. So with the extra eyes from our bug bounty program, we’re able to find things that may have gone unnoticed.
Q: When a hacker finds a bug, what happens next? How do you leverage findings?
Spencer: We’re very much a ChatOps shop, so our application security team receives a notification when a new report has been filed. We’ll do an initial triage to gauge its severity, otherwise, we’ll let HackerOne’s Triage do the initial screening, reproduction info gathering, and sanity check before one of our senior security engineers starts the hunt. Our security team is heavily embedded with our engineering teams, so we’re perusing code to find the root cause and proposing possible fixes for our engineering counterparts as part of our “Bug Squashers” process. Enriching our tickets with this data means our tickets are higher quality, and easily reproducible and consumable by our devs, so we all can get to fixing faster.
Allison: The team at Reddit feels pretty confident that we know where our weaknesses are because we can see that the types of vulnerabilities that are coming in from researchers are consistently of a few class types: XSS, business logic, and cloud misconfiguration. Thanks to the confirmation of this trend from the security researchers, we’ve been building better guardrails for developers and investing in early detection capabilities to help catch these types of bugs before they hit production.
Q: How do hackers help you spot vulnerability trends across your attack surface?
Spencer: Normally it’s the other way around, a hacker will find a class of bug which will prompt us to take a step back and evaluate how we can better defend against that class of vulnerability at scale. If we’ve got IDOR on an API endpoint, we step back and ask questions like “Are we elevating authorization logic enough so that we capture all the scenarios?” We’re lucky that we’ve got a great framework that almost all our services are based on that provides a hardened baseplate. So when we do find something, we always reassess how we can do better to provide guardrails or guidance to our devs to not repeat that mistake in the future.
Q: How do hackers help you when bringing new products or software to market?
Allison: Our security team is already embedded into feature launches at several key points in the SDLC, and we work closely with our various engineering departments. Now, the final phase for a feature rollout is to make sure we add this new feature into the bug bounty scope and provide details on how to test it or where to find it. A great example of this is when we were alpha testing a new Reddit embed feature, we notified our researchers about it and we got feedback that deleted posts were getting rendered due to some bad logic which resulted in reality not matching design. Through hacker-power, we were able to catch this early before general availability where it would have become a larger issue.
Q: What advice would you give to CISOs planning to start a bug bounty program?
Allison: Assuming you’ve done some upfront due diligence, having a bug bounty program shouldn’t be scary. You can have all the automation in the world, but sometimes just having different sets of eyes with different techniques and mannerisms helps identify things that might have otherwise gone undetected by your team. It’s not as if not having a bug bounty program makes your organization’s security bugs go away, this just incentivizes people to report them. I wouldn’t recommend starting a bug bounty program if you don’t have a good funnel into development teams to get findings resolved, but we’ve often been pleased with the quality of the reports and value brought to our bug reporting process. Compared to user bug reports into r/bugs which are often full of bug pictures, bug bounty program reports are of such high fidelity that our dev teams can quickly get to fixing, and trust the security team’s recommendations.
Q: What advice would you give to program leads just starting a bug bounty program?
Spencer: Take it slow, be kind and remember the human. We share the context and happenings of our code with researchers so that they’re more compelled to work alongside us in making the platform and world a better place; we want them to feel appreciated as well. We started from a very small private bounty program and have slowly grown the program and bounties to where they are today, so my advice is to get a rough sense of what your attack surface is, how frequently you’ll be finding issues and paying out, and just slowly grow. If it gets too quiet, then pull a lever: increase program scope, increase participating hackers, or increase bounties. As often as we’re shipping new code and features, there’s no reason we should rest on our laurels - there’s always something to find and improvements to be made.
Q: What will long-term success look like for hacker-powered security at Reddit?
Allison: We’ve had great success thus far, and in the future, we want to better outline Reddit’s assets and ramp up researchers who are just showing up to Reddit’s program with an understanding of the breadth and depth of the product. We’re experimenting with other HackerOne’s product offerings as a means to get targeted testing for new features that launch. Ultimately, we want a program that keeps our engineers happy, the researchers happy, and reduces the overall risk of security incidents.
Q: Anything else you’d like to share with us?
Spencer: We appreciate the researchers who’ve been with us for the last two years, and look forward to working with new folks in the future. We’re also hiring and growing out the team, and there’s a lot of work to be done in the future. It’s a really exciting time at Reddit and to be part of our Security team.
A few thoughts from Reddit’s top hacker @renekroka
Q: Tell us who you are!
A: Hi! My name is René Kroka (h1 handle @renekroka, twitter @rene_kroka), I’m from the Czech Republic, 20 years old, currently doing Bug Bounty as both a hobby and learning experience.
Q: How long have you been hacking/in the cybersecurity industry?
A: 3-4 years now, but I seriously started learning hacking when I discovered HackerOne’s platform and bounty programs.
Q: How long have you been hacking on Reddit?
A: On and off for about two years. It’s been very fun and rewarding to hack on the Reddit program.
Q: Why do you continue to hack on Reddit?
A: Mostly because of a fast, responsive and friendly Reddit team combined with high bounties :)
Q: Without giving away scope that’s not public, how do you approach the target?
A: Speaking as someone who knows Reddit’s scope very well, I usually revisit interesting endpoints and try to figure out new attack vectors. Or, I check Reddit’s changelog for what got updated or introduced and look into that. Sometimes I spend hours trying to find new bugs without success, but then later (days, weeks, or even months), I revisit with a new approach and find new interesting bugs. Generally, the only tool I use is Burp Suite.
Q: What do you enjoy about hacking on Reddit? What keeps you motivated?
A: I really like Reddit’s scope. There are a lot of functionalities where I can dig deep and find interesting stuff. Reddit is a huge network, so securing them from potential malicious attacks is my motivation.