HackerOne

How REI Strengthens Security with HackerOne’s Global Security Researcher Community

REI x HackerOne

Isaiah Grigsby, senior application security engineer at outdoors equipment retailer REI, spoke with us about the success of REI’s bug bounty program (BBP) and vulnerability disclosure program (VDP), their evolving cybersecurity goals, and the value of HackerOne’s security researcher community (aka ethical hackers). Read this interview to learn how REI continually builds customer trust and a world-class security program through human-powered security testing.

Q: Please introduce yourself. Tell us what you do at REI and why cybersecurity is important to REI.

A: I'm Isaiah Grigsby, a senior application security engineer. I lead our vulnerability disclosure and bug bounty programs, oversee our security tools in our CI/CD pipelines, and provide training for our developers. Cybersecurity is vital to REI because it protects customers' data and ensures a safe, reliable experience. By prioritizing security, we build trust with our community and uphold the values that define our brand. It’s about creating a secure environment where our customers can confidently engage with us.

Q: What were your primary goals when REI launched your bug bounty program? And how have they evolved?

A: When we launched our bug bounty program, our primary goal was to enhance our application security strategy. We initially started with a private bug bounty program to establish a foundation for security testing. After a few months of having a successful private bug bounty program, we transitioned to a public vulnerability disclosure program, which allows us to receive and manage vulnerability reports from third-party researchers. As our program has evolved, we've also introduced a public bug bounty program, enabling us to leverage the diverse skills of a global community. This progression has been instrumental in maturing our application security efforts and building a world-class security program.

Q: Why did REI choose HackerOne to manage its program?

A: We chose HackerOne to manage our program because we wanted a trusted platform to enhance our security efforts. Key factors were HackerOne’s strong reputation and expertise in connecting us with a diverse community of ethical hackers.

Q: How has HackerOne's global community of security researchers expanded your security testing capabilities? 

A: HackerOne’s global community of ethical hackers has broadened our security testing capabilities. We connect with a diverse group of hackers, each bringing their specialties and strengths to the table. This diversity is an essential asset because there’s no one-size-fits-all approach. Some focus on specific attacks, while others excel at identifying a wide range of vulnerabilities across our assets. This variety helps us uncover potential security gaps that we might overlook otherwise. What truly sets the HackerOne community apart is their collaborative spirit and commitment to ethical hacking. They genuinely want to help organizations like ours strengthen our security, and that’s invaluable.

Q: Have you had any memorable interactions with hackers to date? Favorite bugs?

A: I can’t pick just one favorite interaction because I’m always fascinated by the skills and time hackers invest in learning our systems. One memorable moment was when a hacker compiled an impressive proof of concept for a vulnerability in our membership application process. Their dedication and attention to detail helped us see the issue.

What I love most is seeing the creativity hackers bring to the table. Each submission highlights their unique approach and understanding of security, which keeps us on our toes and continually motivates us to enhance our defenses.

Q: What REI assets can security researchers test?

A: Hackers can test our main asset, rei.com, except for paths we have deemed out of scope in our policy. View our complete list of in-scope and out-of-scope assets.

Q: What findings is the team most interested in surfacing?

A: At REI, we focus on finding critical vulnerabilities that could affect our customers’ data and overall application security. We pay close attention to issues like authentication and authorization flaws, injection vulnerabilities, and anything that could lead to data breaches. Business logic errors are also a significant concern since they can impact our operations and customer experience. By prioritizing these bugs, we aim to strengthen our security and create a safe, reliable environment for our users.

Q: What advice would you give other organizations considering working with security researchers to harden their attack surface?

A: If you're considering using ethical hackers to improve your security, here’s some advice based on what we've learned. First, start by clearly defining your goals. Know what specific vulnerabilities or areas you want to focus on.

When choosing a platform, look for one that connects you with skilled, ethical hackers with a good reputation and solid community feedback. Communication is key, so provide context about your assets and encourage collaboration to get the best insights.

Also, be ready to act on the findings you receive. Set up a process for reviewing reports and prioritize vulnerabilities based on their potential impact so you can fix them quickly. 

Lastly, consider ethical hacking an ongoing part of your security strategy rather than a one-off project. This proactive mindset will help you build a more robust security framework over time.

Q: Anything to say directly to the researcher community?

A: Absolutely! Thank you to the hacker community; we appreciate your crucial role in improving our security. Your skills and insights are invaluable in helping organizations like ours spot vulnerabilities we might miss.

Keep pushing boundaries and sharing your knowledge. Collaboration is essential; the more we work together, the stronger we all become. Remember, your work protects companies and safeguards users and the broader digital landscape.

Keep innovating and challenging the status quo. Your efforts truly make a difference. We’re excited to partner with you on this journey toward a more secure future. Thank you for your commitment to ethical hacking!

The 8th Annual Hacker-Powered Security Report

HPSR blog ad image