As a collaboration and dynamic work management platform, Smartsheet (NYSE:SMAR) is tasked with protecting some of their customers' most sensitive assets while also releasing new capabilities to drive innovation. With 90% of the Fortune 100 and companies in 190 countries trusting Smartsheet to keep their data secure, cybersecurity is core for the business. In order to produce secure software and continuously test new features, Smartsheet first enlisted the help of the security researcher community in 2016 with a formal bug bounty program.
In 2019, Smartsheet transitioned their bug bounty program to HackerOne to further scale security efforts across product development and extend the reach of their internal team. To mark their one-year anniversary with HackerOne, we sat down with Nolan Gibb, Information Security Engineer at Smartsheet, to discuss how bug bounties enable his team to scale and collaborate with software developers to create more secure products.
Q. How do security researchers fit into Smartsheet’s comprehensive security strategy?
A. Even with talented developers, security bugs are still possible (no one is perfect, after all). Running a bug bounty program means enlisting the help of the researcher community to quickly find and fix bugs in existing features and code.
Our bug bounty program allows our security engineers to work even smarter. We are able to use bug bounty report data to improve our detection processes and strengthen our overall security program.
Q. What does this anniversary milestone mean to you?
A. This anniversary represents the hard work of our developers, our security engineering team, the dedicated researchers in the community, and the HackerOne team. I am proud of the work done by everyone who is part of the program and the dedication shown by all involved.
Our security engineering team works hard to ensure that the researchers have a good experience with our program. We prioritize time every day to review the HackerOne activity feed and stay on top of program activity.
Q. Acquiring a company sometimes comes with its own set of security challenges. Can you share your experience merging two security teams and initiatives?
A. In May of 2019, Smartsheet acquired 10,000ft and its existing HackerOne bug bounty program. HackerOne made the onboarding the second program easy and our security team was able to quickly begin administration. Our security engineering team worked closely with 10,000ft developers to collaborate on new and existing reports as we transitioned.
Q. Were there any unexpected benefits since launching your program?
A. We are always delighted by the motivation of our researchers. Even after claiming a well-deserved bounty, they follow up on their submitted bugs to make sure they get resolved. The security researchers genuinely want to make the internet a safer place and aren’t just looking for a bounty.
One added benefit is that many HackerOne researchers are experts in various areas of security and are willing to share their knowledge with us. This gives us an inside look into how security researchers look at targets and search for vulnerabilities, effectively extending the reach of our security team across our application.
Q. Are there any participants in particular that have stood out to your team?
A. We have had the privilege of working with many talented researchers during our time with HackerOne, and Théo Cusnir (@4bg0p) is a great example of such talent. He is an asset to our program and is known for his high quality submissions. Théo is one of our program’s top performers. Thank you, Théo, for all your help!
Q. Can you share a bit about how your team measures success?
A. We primarily measure success through engagement with our researchers. Dedicating time and resources to responsive, honest communication with researchers is key to developing good relationships with the community. We try to establish realistic timelines for paying bounties and resolving valid submissions.
We believe that treating researchers well produces the best results. We are consistently working towards faster resolution times to show respect for the researchers and their time spent.
To learn more about the Smartsheet program and get hacking, visit https://hackerone.com/smartsheet.