Priceline Launches Public Bug Bounty Program: Q&A with Matt Southworth
Priceline is a world leader in travel deals, connecting millions of travelers with over 600,000 properties around the globe, and the flights and rental cars to get them there. Think of all the information used to book flights alone. Priceline CISO Matt Southworth and his team are tasked with keeping that data secure.
Today, Priceline launched its public bug bounty program on HackerOne, including Priceline’s e-commerce site, Priceline.com, PPN affiliate sites and mobile apps. We sat down with Matt to learn more about their program, prioritizing customer trust, keeping up with new techniques, what it’s like working with hackers, and more. Here’s a glimpse into our conversation.
Q: Please introduce yourself. Tell us what you do at Priceline and why cybersecurity is so important to your business.
A: I am Matt Southworth, CISO at Priceline. Cybersecurity is critical for a number of reasons. Chief among them is customer trust. We need to make sure all the information our customers choose to share with us is treated with the utmost sensitivity and protected against threats from bad actors across the world. Quite simply, we have been taking credit cards online for 20 years, customers have trusted us with that information, and we will maintain that trust.
Q: Why did Priceline launch a bug bounty program?
A: The idea behind the program was to allow some of the world’s best security researchers to identify vulnerabilities on our site. When a researcher identifies a vulnerability, they have an economic incentive to report it to us. We had been receiving individual reports from researchers, and chose to consolidate those efforts through a formal program.
We partnered with HackerOne because their triage is impressive. HackerOne handles contact with researchers and validate their findings. This allows us to focus our energies on addressing vulnerabilities versus validating them.
Q: How does this fit into Priceline’s larger cybersecurity strategy?
A: This is one element in a very comprehensive strategy we have in place to safeguard customer data. Discoveries from the bug bounty program are an excellent early signal of new and evolving attacks. These new techniques will be used, maliciously or otherwise. We need to be aware of these techniques so we can evolve our security program in response. It is a process of continuous improvement, to stay ahead of hackers with bad intentions.
Q: Any memorable interactions with hackers to-date? Favorite bugs?
A: At a high level, one particular benefit of these programs is the variety of techniques that researchers use to identify vulnerabilities - we see a mix of traditional and nontraditional hacking. Some researchers in particular are very good at spotting vulnerabilities in forgotten and outdated infrastructure. We see considerable value from a number of participating researchers. One in particular, a researcher named Eric with the username todayisnew, stands out - very easy to work with, with a fresh and different perspective on bounty programs. We want to broaden the program to include as many skilled researchers as we can.
We work with researchers from all over the world. And they do not work on our 9-5 schedule. We receive feedback over weekends, over holidays - it’s continuous, and it’s very beneficial.
Since launching the program, we have resolved more than 400 bugs. We have rewarded more than 300 reports and have paid out more than $80,000 as a result. And we have raised the amount of our rewards in response to our positive experience with the researchers.
Q: What findings is the team most interested in surfacing? What types of bugs are most valuable to Priceline?
A: Anything that puts our customer data at risk is valuable to identify and fix. We’ve included our e-commerce site, Priceline.com, as well as our PPN affiliate sites and our mobile apps in scope for this reason. Valuable findings include remote code execution, interesting logic flaws and vulnerabilities in mobile apps.