One Month of Learnings from Flo Health’s Bug Bounty Program: A Q&A with CISO, Leo Cunningham
The CISO of Flo Health, the world’s most popular women’s health app, knows that enabling his security team with the most advanced security testing methods is of the utmost importance to brand trust and user loyalty. We recently sat down with CISO Leo Cunningham to hear about Flo Health's learnings from the first 30 days of their bug bounty program. Read on to see what Leo shared about the importance of leveraging the global hacker community and how vulnerability findings help improve Flo Health's internal processes.
Tell us who you are.
Hi, I’m Leo Cunningham, the CISO at Flo Health.
What does Flo Health do? Why is cybersecurity so important?
Leo Cunningham: Flo is the most popular women’s health app globally; over 190 million users have downloaded Flo, attaining 40 million monthly active users. With over 80+ medical experts, Flo supports women during their entire reproductive lives. The app provides curated cycle and ovulation tracking, personalized health insights, expert tips, and a private community for women to share their questions and concerns. Flo Health app is available in more than 20 languages on iOS and Android.
Flo prioritizes safety and keeps a sharp focus on being the most trusted digital source for women’s health information. Cybersecurity is the most important thing to our business due to the sensitive data we process and the large amount of user data we store.
What led you to HackerOne?
Leo Cunningham: Before using HackerOne, we used to run penetration testing via a vendor. However, these traditional pentests limited us because we couldn’t access niche skill sets. We wanted to add a modern approach to what we were already practicing. Choosing HackerOne means we’re not limiting ourselves. We can open up our application and platform to the largest global community of ethical hackers. We wanted to reach a diverse community and pool of talent to push the boundaries, give us a better measure of our security, and detect vulnerabilities that could have been missed internally. By offsetting some of our vulnerability management and testing efforts, we have saved ourselves a huge amount of time and money.
What were some of the first successes?
Leo Cunningham: Launching the HackerOne program has allowed us to look at our internal processes and refine these to ensure maximum ROI and efficiency when dealing with multiple sources of vulnerability information.
In the first month of the program, we reached out to 200 people on the platform to see if they could test what we already put in place. So far, we have had a couple of items disclosed. One of the bugs disclosed so far was a “low” vulnerability. This bug was already known to our security team and is a legacy item with no impact on Flo. Because the bug bounty submission was from another perspective, we decided to pay $200 for this as it was insightful to know how a hacker viewed this vulnerability.
The interaction with the HackerOne team and with the hacker community has been great. HackerOne Triage verifies the findings before being submitted to us for review. This saves Flo so much time and reduces our efforts on checking items.
How are hackers helping you reduce business risk?
Leo Cunningham: The hacker community is assisting us in achieving a position where we are as secure as we can be while allowing the business to operate as usual. This also helps us review current processes, Jira workflows and makes developers aware of security bugs.
A hacker finds a bug - what happens next?
Leo Cunningham: Once a bug has gone through HackerOne triage, we first fully validate the vulnerability ourselves, then add this to our vulnerabilities project, and if eligible, a bounty is paid out. From there, the relevant metadata is added, and the bug is sorted into a list of prioritized items to get fixed according to our internal SLA structure for remediation. The bug is then fixed and closed.
How do hackers help you spot vulnerability trends across your attack surface?
Leo Cunningham: Hackers can spend more time across a wide range of areas to understand our technology and product, then apply their niche skillset to help us paint a picture of any issues that need to be addressed, ultimately helping us maximize our ROI.
What advice would you give to other CISOs planning to start a bug bounty program?
Leo Cunningham: If you haven’t already, set up a formalized internal process to deal with items in an orderly fashion. Make sure your teams are ready to understand and remediate upcoming issues. Think about what you want to get from the program and implement your plan accordingly.
How do you quantify working with hackers?
Leo Cunningham: Working with the hacker community allows us to receive bugs that are not seen in traditional penetration tests and gives us a larger window of time in which to find these bugs. HackerOne provides the largest community of ethical hackers in the world, which makes it the best and biggest resource out there. The more hackers there are reviewing our items, the better.
Each company is different and has different needs, but in order to quantify working with hackers, I ask myself the following:
- What do I currently spend on external penetration tests, and what level of coverage do I get? If I want exposure to a large community of hackers who live and breathe security testing, would this option give me more scope on tests for my product?
- Am I time-boxed with internal or external testing? If so, this adds additional pressure when you can freely open up your product (within a restricted and secure space) and allow hackers to take their time and spend longer on testing.
Having a bug bounty program is great from the brand perspective. It shows the world that you are investing in security and that you are open to a varied and wide community of testers who dedicate their time finding security bugs that could seriously impact your company if found by a malicious hacker.
Q: How do you measure the value of data security?
Leo Cunningham: At our core, we are a platform that relies on very sensitive data, and our customers need to be able to trust us with this information. Like all companies, a data breach has the potential to cause a lot of damage. Flo, as a result, has a very strong focus on security at all levels, and HackerOne is a crucial part of this process.
What’s the biggest lesson you’ve learned so far?
Leo Cunningham: Be prepared to deal with all sorts of information from various skill sets and keep an open mind.
What does success look like in the future for you?
Leo Cunningham: Success for us will be when we are getting minimal bugs reported, penetration tests return little to no results, and our internal vulnerability count is minimal.
Anything else you’d like to share?
Leo Cunningham: The HackerOne customer service and account management team have been world-class.
To learn more about the benefits of a bug bounty program, check out HackerOne Bounty