What happens when the very thing your company offers gets put to a surprise test? That's what happened to HackerOne last Friday when we shipped an unknown vulnerability that could have affected many of our customers. The good news is that we discovered and fixed the bug in less than three days from deploying it, a new HackerOne speed record from (unknowingly) shipping an issue to fixing it. However, if we hadn't had a mature vulnerability disclosure and handling process, this could have been found and used maliciously. As a company that believes in transparency toward our customers and community, we've chosen to share our story with you here.
Last Friday, we released code that updated the authorization check for a program team member to update comments posted to a vulnerability report. Over the weekend, Rohk found a flaw in this newly released code. When a program posted an automated response to a report, the hacker was able to update the message on behalf of the program team. Rohk filed the report on Monday morning PDT. After a quick exchange, we were able to validate the submission. A couple of hours later, we released a fix and awarded a cool $1,000 for the bug!
HackerOne releases new code several times per day. To keep our hackers, customers and data as secure as possible, we run our own bug bounty program, incentivizing hackers with rewards for bugs they submit and we fix. As software and security professionals, we firmly believe that shipping vulnerabilities is inevitable, despite any best intention or counter measure. Simply put, it's axiomatic that all software teams will ship vulnerabilities. Accepting this reality, we offset this risk by putting as many hacker eyes on our deployed code as possible, making it easy to report issues to us and being as responsive as possible.
You might wonder what measures we take to reduce introducing vulnerabilities in the first place. The answer is many. In addition to our bug bounty program, we perform regular internal testing, run red team exercises, implement significant automation, execute code reviews, and more, all with the goal of writing more secure code. An important exception is running penetration tests with outside teams. Because we ship new code on a nearly continuous basis, external penetration testing would, by definition, always lag behind our code base, not to mention how expensive running a few of these quickly becomes.
This experience reinforced our belief that there is no better way to quickly discover vulnerabilities in released code than by working with the hacker community. And despite the fact that we explain, endorse and enable this kind of security practice on a daily basis to any and all companies, we were sincerely impressed by how powerful and effective it is to have amazing hackers continuously looking at our systems for us. They help us protect our customers like no other. Personally, as a HackerOne co-founder, I was reminded how inspiring I find our mission to enable any company in the world to benefit from this approach, helping create a safer Internet.
At HackerOne, we take securing customer information very seriously. Our significant investment in a public bug bounty program not only demonstrates our commitment, but also enables us to effectively defend our customer data. We've chosen to publicly disclose this report immediately, as we do with all resolved reports, and encourage anyone to read it.
Most importantly, on behalf of the HackerOne security and development team, I want to extend a big thanks to Rohk for finding and sharing this issue. You rock!
And to all hackers out there, hack on!
- Jobert Abma
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.