It’s been two years since Upserve launched its public bug bounty program on HackerOne. During that time, Upserve’s security team has resolved over 85 valid vulnerabilities thanks to hackers, paying $68,000 in bounties along the way.
Over 10,000 restaurants use Upserve to manage relationships with more than 57 million active diners, process over $9.9 billion in annual sales and serve over 36 million meals per month. The Upserve security team is responsible for protecting information about restaurant guests and employees, payment card information, and sensitive business information like sales data collected through Upserve Restaurant POS and Management Software.
To celebrate the second anniversary of their public bug bounty program on HackerOne, we sat down with Upserve’s Information Security Officer Bryan Brannigan to look back on humble beginnings, learn more about how they incorporate hackers in their security initiatives, and discuss how they’ve increased engagement through public disclosures. Take a look:
Q: Introduce yourself and Upserve. Tell us what you do and why cybersecurity is so important to your business.
A: I’m Bryan Brannigan and I look after Upserve’s information security and privacy programs. Upserve is the magic ingredient that helps restaurateurs become wildly successful, providing everything they need to manage a restaurant in a single hub. Upserve offers the market-leading cloud restaurant point-of-sale, actionable insights, payment processing, automated inventory and ordering, workforce tools, and mobile restaurant management.
Cybersecurity is critical to our business because restaurant owners are relying on us to protect not only their information but also the information of their guests. They’ve entrusted us to do the right things to keep this information and their business safe, and we take that responsibility seriously.
Q: Why did Upserve decide to start a bug bounty program in the first place?
A: Upserve has always been receptive to vulnerability disclosures and has worked with hackers to resolve bugs and reward them for their reports. Without a platform like HackerOne, this is an administratively burdensome task. Without a formal program, there is also limited engagement because few hackers know about you unless you’re a big name. We thought that starting a formal bug bounty program would help us tap into the minds of many individuals with unique perspectives and skill sets to help us better identify potential weaknesses in our software. Overall we thought that a bug bounty program would be a great compliment to the steps we already take to build security into our products.
Q: How does the bug bounty program impact your larger cybersecurity strategy?
A: Our bug bounty program allows us to engage hundreds of minds to help us continuously improve our products. We do internal code reviews, threat modeling, penetration testing, and vulnerability scanning. But the hackers bring a unique, outside perspective on how to break our products in a way that these other activities do not. With each valid submission, we learn something that we can take back into the process and improve how we design and build our products in a secure way.
Q: What’s the scope of your program? What findings are most interesting to your team?
A: Our scope is very open and includes almost everything a hacker can get their (virtual) hands on, including our Internet-facing services and mobile apps. When we mark a production asset out of scope, we try to provide a non-production replica for testing. Of course, third-party services are out of scope, but we also try to point out when those services have their own bug bounty or disclosure program. Any finding that impacts our risk posture is interesting to us, but the most interesting findings are those that have a direct impact on the confidentiality or integrity of customer data.
Q: Most bug bounty programs are private and many of those are not publicly acknowledged in any way by the program owner. When and how did Upserve decide to transition from private to public?
A: We launched our private program to get started, but about 7 months later transitioned to a public program. We intended to have a public program from the very beginning. If there is one fact about the Internet it is that there are bad people trying to hack your stuff every day. Since many of our assets are available to anyone, we believe that it makes sense to allow anyone to participate in our program. At Upserve we believe in transparency and that value carries over to our security program. I believe that a transparent security program does more to build customer confidence than a program that hides in the shadows.
Q: You’ve recently started publicly disclosing some of the vulnerability reports that have come through the program. How have public disclosures helped engagement of your program?
A: Public disclosures have built a lot of new engagement in our program. We’re seeing new hackers join in and submit reports. Most of these reports are new issues, but some of them build upon a disclosed report and take an approach we and the previous hackers hadn’t thought of. When we started the program I saw public disclosure as a benefit for just the hackers, but now I see a clear benefit to us and our program from public disclosure.
Q: What advice would you give hackers participating in your program?
A: Report quality really matters. It is clear when a hacker has taken the time to understand the issue, the impact, and the steps to create, and it is really clear when they have not. We are much happier to work with and reward people who put in the effort.
Q: What advice would you give other businesses when it comes to running a program?
A: Running a bug bounty can be a great value to your business, but you need to make sure that you, your company, and your SDLC are ready for it. Security bugs are going to be reported and they’re going to throw a wrench in your plans for the sprint/month/quarter. This disruption is for the greater good, but you need stakeholders to be on board and supportive of what you're doing.
Define your objectives and keep an open mind about scope. You might be looking to focus on a single app or website, or like Upserve you might be looking to identify issues across all of our public facing assets. You need to know what you want to do and you need to clearly communicate that to the hackers.
Q: What’s next? What’s your vision for the program and/or what milestone(s) are you looking forward to?
A: As the company grows, so does our scope. We’re looking forward to issuing some very specific challenges to the hacker community around services and features which we think are well protected, but could use guided and focused testing to help with assurance.
To learn more about Upserve’s bug bounty program on HackerOne and start hacking, visit https://hackerone.com/upserve.