Towards the $50,000 Bounty - Improving SDLC with Bug Bounties

The Challenge

The CISO of the Year used bug bounties to lead the way. Leo Niemela, Chief Security Officer for Finnish insurance giant LocalTapiola, was an early bug bounty program adopter. He saw that LocalTapiola could get more than bugs out of a bounty program. LocalTapiola could create the software development lifecycle (SDLC) of the future using bug bounties as the catalyst. Here's how they did it.

LocalTapiola competes in a fierce and demanding insurance marketplace in Finland. They produce software both in-house and with outside development partners. Getting software out quickly is a high priority, but security reviews and pen testing took time. Application security was a responsibility of both the product and security teams, leading to an unstructured process that was not transparent. Security teams were nervous on ship days, and didn't want to be.

Leo receiving CISO of the Year Award from the Finnish Security Association, 2015.

The Solution

At first, LocalTapiola used only classic vulnerability finding techniques: static analysis, internal threat modeling and external penetration tests. Each pen test took at least a week plus planning time. LocalTapiola assigned pen testers a wide scope, to have comfort that applications were really checked for vulnerabilities.

They launched a bug bounty program with a few, mainly Finnish hackers. There just weren't enough of them to satisfy LocalTapiola's security team. The creativity of the world's hacker community was needed. LocalTapiola migrated their internal bug bounty program to HackerOne to access more great hackers, where over 70,000 are registered.

A vulnerability disclosure program with bug bounties signaled LocalTapiola reaching a new level of security sophistication.
Courtesy: Leo Niemela

The Results

The expanded program allowed them to make changes to their SDLC. Security was embedded in the product development organization, instead of being partly in and partly out. That brought clarity that pen testing could be shortened and money was better spent on bug bounties. Pen testing time was cut in half and bugs were found at half the cost, allowing code to ship faster.

With HackerOne, top hackers were continually probing. The extended security team felt that there were always eyes on. And great hackers: three of HackerOne's Top 10 overall hackers have successfully found vulnerabilities on LocalTapiola. The security team also has outside software developers pay for the bounty for vulnerabilities found in their code. That keeps them very focused on delivering secure code in the first place.

After six months on HackerOne, the program continues to grow. LocalTapiola's most recent month on HackerOne led to 19 bounties, more than the four prior months combined. LocalTapiola knows they can get even more eyes on their software, quickly and affordably. They increased their published maximum potential bounty to $50,000 - the highest on HackerOne. Reports went up 50% in the month when the higher maximum bounty was announced. Their highest-ever award - $18,000 - was paid shortly thereafter, from a first-time LocalTapiola contributor. Hackers love them for paying for out-of-scope bugs on occasion and hosting hacker dinners in Finland. And if a hacker finds a vulnerability worth it, LocalTapiola will gladly pay to protect their brand and produce the most secure software possible.