“It’s not worth building a fence if it can be bypassed just two steps to the side”
Mail.ru Group is a bug bounty veteran; with a program that spans 6 years, paying out over $1 million in bounties and resolving 3465 valid reports, it knows all the tricks to getting the best out of their hackers. Mail.ru Group’s Information Security Technical Advisor, Vladimir Dubrovin, tells us why being flexible with scope is vital to his team’s successful bug bounty program.
When we first started our program, only Mail, Cloud, and Calendar services were in scope, because almost every account across our services is bound to Email. However, since the beginning, we have paid out for issues like RCE or SQLi that were out of scope — it’s not worth building a fence if it can be bypassed just two steps to the side. Now we cover every high severity issue that belongs to Mail.ru Group, without exclusions. In addition, we take the unusual step of officially rewarding hackers for disclosing vulnerabilities found in our partners’ systems. While there are legal implications in some countries that make it impossible, we have taken steps to make this a best practice. When Mail.ru Group makes agreements with new partner services, we outline in the contract that the service needs to be ready to receive reports from hackers and have a Service Level Agreement (SLA) for fixing security issues. It’s important that if those partner services are receiving any information about our users, we want them to be as secure as we are ourselves, so we accept those bugs into our bug bounty program and pay out for them.
This is what I’ve learned from six years of working with hackers to secure Mail.ru Group:
- Reward for what your business needs. Your scope can even include reports for fraud or account hijacking issues. The most important things to do for your program are respond quickly, fix issues and maintain communication with your hackers.
- You can attract more bug hunters without raising bounty prices. Hackers are in this business for more than just money, so price increases can only get you so far. Hackers really respect companies that allow disclosure of findings and we have found it’s a great way to show you have a program worth spending time on because hackers can publicise their successes and this encourages other hackers to participate.
- Provide easy access to beta functionality. Rewards should match, or potentially supersede, released features. This way, you can ensure security is being built into the software development process, leading to a more secure product overall.
- You can offer researchers so much more than just money. We have offered grants for our top researchers where we pay them for their work whether they find a bug or not to keep them engaged with the program and looking for vulnerabilities. We have also incentivised hackers with promotional codes distributed offline and at physical events to attract new hackers. When we attend cybersecurity conferences, we offer some simple (and not so simple) hacking challenges for attendees at our booth. If you win, you get a promo code for $100-$200 for our bug bounty program. It works like this: if you receive a bounty for a report, you will automatically receive an additional $100-$200 as a bonus with the promo code. The effect of this is two-fold; we get additional activity from hackers who know that no matter what they find, they will earn an additional $100-200 from it and can measure how successful in-person engagement is at events. With this activity, we usually receive up to ten issues per 150 promo codes, including at least one critical issue.
- I often get asked about how I measure success. I would say, focus on the number of critical reports and the time it takes from when the vulnerability is first reported to the point where it is verified, paid out and, ultimately, fixed.
Looking forward, where is Mail.ru Group going next?
We are transitioning to a single account across all the services within the holding that will include Mail, VK.com, OK.ru - both social networking sites - and others. This is a massive challenge for us and of course we want to invite researchers to help us implement it in the most secure way, and will have plenty more opportunities for bug hunters.
For more information, visit our page at https://hackerone.com/mailru.