Just five years ago, leading rideshare, food delivery, and payments company Grab, became one of the first companies in Southeast Asia to implement a hacker-powered security program. Though it started as a private program, Grab launched their public bug bounty program in 2017. In just three years Grab became one of the Top 20 bug bounty programs on HackerOne worldwide, resolving nearly 450 valid vulnerabilities thanks to the efforts of over 200 ethical hackers.
To celebrate, Grab’s security team published a blog post highlighting their journey from private to public bug bounty program. Here are some learnings as described by Grab’s Security Team:
- Response Time: No researcher wants to work with a bug bounty team that doesn't respect the time they invest into the program. We initially didn't have a formal process around response times because we wanted to encourage all security engineers to pick up reports. But since we knew which processes worked for us in this area, we are able to consistently deliver a first response to reports in a matter of hours, which is significantly lower than the top 20 bug bounty programs running on HackerOne.
- Time to Bounty: In most bug bounty programs, the payout for a bug is made in one of the following ways: full payment after the bug has been resolved, full payment after the bug has been triaged, or paying a portion of the bounty after triage and the remaining after resolution. We opt to pay the full bounty after triage. While we're always working to speed up resolution times, that timeline is in our hands, not the researcher's. Instead of making them wait, we pay them as soon as impact is determined to incentivize long-term engagement in the program. Our average time to bounty is 5 days, which makes our program one of the fastest among the top 20 bug bounty programs on HackerOne.
- Noise Reduction: With HackerOne Triage and Human-Augmented Signal, we're able to focus our team's efforts on resolving unique, valid vulnerabilities. Human-Augmented Signal flags any reports that are likely false-positives, and Triage provides a validation layer between our security team and the report inbox. Collaboration with the HackerOne Triage team has been fantastic and ultimately allows us to be more efficient by focusing our energy on valid, actionable reports.
- Team Coverage: We’ve introduced a team scheduling process. Each week, we assign a security engineer to review and respond to bug bounty reports. We have integrated our systems with HackerOne’s API and PagerDuty to ensure alerts are for valid reports and verified as much as possible.
Grab realized early on that ethical hackers could have tremendous impact on the security of their technology. By first establishing a private bug bounty program and transitioning to a public program, they were able to ‘crawl, walk, run’ and scale security efforts according to their own pace. They saw that ethical hackers bring non-stop testing far beyond what any internal security team could accomplish alone; and that blanket of coverage extends downstream into engineering and development, adding another “guardrail” on the software development lifecycle.
Grab’s bug bounty program has helped the team prioritize fixing the most impactful vulnerabilities and minimize the window of opportunity for malicious attacks. By integrating the data from the bug bounty program into their development workflows, Grab has been able to identify, prioritize, and respond to threats in real time while creating more secure products.
If you want to learn more about Grab’s bug bounty program or want to submit a vulnerability report, visit https://hackerone.com/grab.
For more information about getting started in bug bounty programs, check out The Beginner’s Guide to Bug Bounty Programs.