It’s the largest online photo management and sharing application in the world, so chances are you may have heard of it. Flickr has been running a bug bounty program for years as part of Yahoo’s program before it was purchased in April 2018 by SmugMug. As of November 2018, Flickr has been running its first independent bug bounty program, maintaining an average resolution time of just 4 days in the first month. We sat down with Flickr Senior Engineering Manager Alex Seville to learn more about his team’s commitment to working with the hacker community, how it fits into Flickr’s larger cybersecurity strategy, and what’s to come.
Q: Why did Flickr decide to start a bug bounty program? What lead Flickr to where it is now from a security perspective?
A: If our users are going to entrust their personal photos to us, then we owe it to them to go above and beyond to protect their privacy and security. It’s for this reason that Flickr has been a part of the Yahoo Bug Bounty for years, and when we moved to SmugMug we wanted to continue our relationship with HackerOne and the hackers who have been so helpful to us over the years.
Q: How has and will the bug bounty program impact Flickr or SmugMug’s larger cybersecurity strategy?
A: Bug bounty is a crucial element to our larger strategy. While we train and encourage our teams to think about security as being paramount, when things slip through the cracks we’re glad we have bug bounty hackers researching the site and keeping our users safe.
We’re amazed at some of the reports we’ve received in the past. There are some seriously clever people using HackerOne, and so far we’re very happy to have been made aware of some issues before they were exploited by bad actors.
Q: What are you looking forward to regarding the bug bounty program? What are your hopes, goals, etc. when it comes to the program?
A: Our hope is develop good working relationships with hackers in our program and through them have confidence that our product is safe and secure for our users. As we launch new features, we’re excited to see bug bounty hackers examine them and help us deliver the most secure, reliable product.
Q: Last question. What’s next?
A: We hope the Flickr program can help you grow as a security researcher, and that we can work together to patch all the areas of security weakness in our product. Flickr has an exciting year ahead, and we can’t wait for Bug Bounty hackers to research our new login systems.
Check out their program and get hacking at https://hackerone.com/flickr.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.