johnk

Grammarly’s Bug Bounty Program Goes Public: Q&A with VP of Engineering Joe Xavier

Grammarly’s Bug Bounty Program Goes Public: Q&A with VP of Engineering Joe Xavier

It’s been over a year since Grammarly launched its first bug bounty program on HackerOne. It’s been a private, invite-only program ever since. That is, until today! The AI-powered writing assistant with over 15 million global users considers security an essential part of its product offering and a number-one priority for the company. That’s why Grammarly is opening its bug bounty program to the entire world. We sat down with the company’s VP of Engineering Joe Xavier to learn more about how the bug bounty program fits into the team’s overall security strategy, what it’s like working with hackers, and any advice for other organizations considering the bug bounty model. Here’s a glimpse of the conversation.

Q: Why did Grammarly decide to start a bug bounty program in the first place? What have been some results of your private program to date?
A:
As a consumer company delivering an AI-powered writing assistant used by millions of people worldwide, the safety of our users’ data is our number-one priority. In fact, we see security as the most critical feature of our product. We don’t take for granted the trust our users place in us to keep their information safe. 

At Grammarly, we have a strong internal focus on security, but we know we can benefit further from the expertise that the security researcher community can bring through this program.

We’ve seen success in our private program, which has nearly 1,500 participants and more than 80 hackers in the Grammarly’s Hall Of Fame. We’re now ready to expand to a public program and welcome many more thousands of security researchers into the program. 

Q: Why is the program going public now?
A:
The public bug bounty program is a component of Grammarly’s enhanced security strategy, following the success of our private, invite-only program. Our approach was to continually expand the number of researchers who are working on our interfaces, allowing us to respond quickly and broaden our focus. We’ve now hit a steady state and are enthusiastic about having the wider security researcher community contribute to tackling more possible vulnerabilities.

Q: How has and will the bug bounty program impact Grammarly’s larger cybersecurity strategy?
A:
More than 15 million users rely on Grammarly every day to make their written communication clear and effective wherever they type — and they deserve to know that their data is as safe and secure as possible. By helping us uncover and mitigate yet-unknown security threats, hackers help us make this possible.

Our HackerOne bug bounty program is one part of our enhanced security strategy. It helps us identify systemic issues, which we can then work to resolve. This can mean anything from taking a different approach to building our technology to having more robust review processes. Our security strategy also includes periodic penetration tests, actively growing our internal security team, and increasing our awareness about security best practices.

Q: What has been one of your favorite hacker interactions to-date?
A:
It’s got to be working with Vladimir Metnew — he was the most active hacker in our private bug bounty program, and he recently became a consultant to the company. Vladimir demonstrated exceptional skills in combining and chaining vulnerabilities into a complex and potentially harmful attack vector. We also enjoyed the exceptional quality and level of detail in his reports.

Q: What advice would you give other organizations about starting a bug bounty program?
A:
First and foremost: Do it! Especially if you have a consumer-facing product with a big reach. But some words of advice:

  1. It has to be a real priority — your engineering team needs to be ready to respond quickly. When you set priorities, you need to have clear expectations within your engineering team about timeliness, responsiveness, and who triages the bugs.
  2. Open the program up gradually to allow your team to scale and adapt. For example, start with a private program, as we did.
  3. Pay attention to your triaging to make it more effective. Over time you’ll get better at identifying duplicates, and the difference between low-, medium-, and high-severity threats.
  4. Identify an engineer who has a broad understanding of your stack to be consistently part of the program, so they can identify systematic issues and drive efforts to fix root causes, as opposed to merely fixing isolated issues.

Q: Here’s your chance — what do you have to say to the hacker community (those that have hacked on Grammarly and those that haven’t)?
A:
We truly appreciate the work you do. Our product helps millions of people communicate more effectively, and you’re helping keep that data secure; you’re making every gateway to that data more secure. We invite every ethical hacker who believes in Grammarly’s mission to help us identify vulnerabilities so we can fix them before they fall prey to a malicious actor. We’re also open to partnering in a more official capacity.

Q: Last question. What’s next?
A:
We’re not just checking the box on security — it remains our number-one priority. Enhancing our security team inside the company is a critical pillar of our strategy. That’s why we’re looking to grow our team and continuing to bring in domain expertise to protect the data of the millions of people who use Grammarly to improve their written communication.


If you’re interested in learning more about Grammarly’s program or want to get hacking, check out the Grammarly program page at https://hackerone.com/grammarly.


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

The 7th Annual Hacker-Powered Security Report

Hacker-Powered Security Report