Snap’s Security Team on Nearly 6 Years of Collaborating with Hackers
As a popular camera and messaging platform, Snapchat is responsible for properly handling data for 249 million users daily. The Snap bug bounty program launched in January 2015 to encourage hackers to surface vulnerabilities so they could be safely resolved. Nearly six years later, the security team leverages insights and trends from the bug bounty program to automate and prevent similar vulnerabilities throughout software development. We connected with Snap Security Engineering Manager, Divya Dwarakanath and Security Engineering TPM, Nick Reva to learn more.
Q: How has hacker-powered security helped you ensure your products are secure to maintain consumer trust?
Through regular gap analysis, we determine where to focus our future efforts on, but at our scale, it is great to have a safety net. Through HackerOne we gain better visibility into the issues we may not have caught.
Whenever we remediate a solid finding, we try to investigate if there are other occurrences of the same bug, and either implement a framework to prevent the issue in the future, or write an automated rule to identify these early via our regression testing and analysis tools. This allows us to learn from the hacker community and create automated detection to stop the bug from occurring or catch it ourselves.
Q: What are Snap’s security priorities as a whole? Can you share a bit about your holistic security approach?
Snap takes an engineering-centric approach to security. We are structured into teams that build and maintain systems and controls to protect our users and company. We hold a high technical bar for our teams to ensure we build the right solution for Snap. We perform periodic threat modeling to identify the most meaningful threats and then define and implement strategic and operational projects and programs to manage those threats. Our general preference is to build vs. buy solutions as we can better control our destiny and build to our requirements without strong vendor dependencies. HackerOne is one of the larger exceptions where clearly the depth and breadth of the Platform and community makes it desirable to partner with. We felt that building our own bug bounty platform wouldn’t be a good use of our time.
Q: Snap is approaching the 6 year anniversary of its bug bounty program on HackerOne in January. Can you share a little bit about that origin story and how the program has evolved over the years?
We started in late 2014, with a private program and limited scope. We had a small team, but enough prior experience with bug bounty programs to know how overwhelming they can get if we don’t scale up slowly, and with the right vulnerability tracking and remediation framework in place. A private program was perfect for this! We went public a few months later, and went on to add another private program for our product acquisition Zenly in 2019 and later took it public in 2020. We have been growing the scope, offering top monetary rewards for top vulnerabilities and look forward to continued growth in the future.
Surprisingly, the program has helped augment our hiring efforts, helping us connect with many talented people in the industry. Hackers often reach out, enquiring about full-time and intern roles, citing good interactions with our team, and we have been able to hire interns and a full-time engineer as a result.
Q: How did leveraging a private bug bounty program around an acquisition help the team? Is that becoming a standard process for Snap?
The private program allowed us to start small and focus the program on a curated list of researchers that had both demonstrated reporting in specific domains of interest and high reputation. We are considering private programs for future product acquisitions that run separate from the Snapchat app.
Q: Over the past five years, are there any memorable moments, metrics or bounties that stick out for you?
For the Snap program about 3 years ago, @apfeifer went a bit rogue on us (and thank goodness). He pointed us to new areas of risk that we weren’t focusing on, and resulted in us kicking off some very important security engineering efforts. Post two amazing internships with us, he continues to be the top hacker on our program with over $57K in bounties before graduating from college.
For the Zenly program, we intentionally started small and incrementally scaled the program through 2019 with a public go-live in early 2020. @apfeifer again has made a meaningful contribution to our Zenly program with novel bugs that our team didn’t anticipate. Another researcher (@victor_pct) was initially discouraged by the complexity of Zenly's APIs, but after we offered him a small bounty for his first report, he decided to work harder and scored a much larger bounty. With this bounty he had enough money for a ring to propose to his girlfriend :) We are glad to have contributed to his work and personal life in such a meaningful way.
"Thanks Zenly and all your awesome team <3” - @victor_pct
Q: Earlier this year, Fast Company named Snap Inc. as the World’s Most Innovative Company. What role has security played in your path towards innovation?
Snap approaches software engineering with a security and user privacy-first mentality. Our security engineering team is actively involved in all stages of product and infrastructure development, and we have been able to influence designs and roadmaps to improve security and privacy. We have also taken opportunities to innovate in the security and privacy space. Some examples of this are Device-Distributed Machine Learning which allows us to analyze user data/behavior in a privacy-preserving manner, end-to-end encryption that doesn’t rely on strong coupling between identities and devices, and a key escrow for the ‘My Eyes Only’ feature that protects saved private media in the event of a Snapchat server compromise. We have also heavily invested in a new SOA paradigm with implementation of Envoy and a Service Mesh that provides secure by default with authentication, authorization, and network security provided as defaults within the platform.
Q: What advice or lessons learned would you share for companies considering hacker-powered security?
We have stuck to certain fundamentals to reduce bug bounty ops for our team - outsourcing the initial triaging to a trusted and tech-savvy team, and having a large-enough on-call team and other interested “watchers” on our team who are happy to jump in on busy days. Security teams are most effective when they are in a position to do proactive security, by engineering solutions to eliminate entire classes of vulnerabilities, helping design and implement secure products, and creating safe development paths for the company that provide guard rails without slowing down innovation. Give your security engineers the operational help they need to manage your program without it becoming a burden, and the results will speak for themselves.
Q: Looking forward, how do you see the bug bounties and the security industry more broadly evolving?
Looking ahead, we see that the volume, variety and complexity of bugs will likely increase as the pace of our product suite and technology evolve. Security teams are constantly trying to understand the threat model for new technologies quickly enough to build proactive defenses. As the speed of innovation continues to accelerate, we need to continue evolving. We foresee continuing to invest in more thoughtful and automated risk detection of attack surface to identify and address new vulnerabilities quickly. In fact, we have recently bootstrapped a risk discovery team to double down on this. We will certainly miss certain things and the HackerOne program will be there to fill in the gaps in our awareness and coverage.
Q: Anything you’d like to say to the hackers that have participated over the last five years or those that you’d like to engage in your program?
For all you hackers who have spent precious time on our program, we know that you have many choices when it comes to bug bounty programs. Thanks for choosing to hack with us ;)
If you haven’t engaged with our program yet, or stopped because of the high barrier for entry (certificate pinning or device attestation), we would like you to know that our biggest bounties have gone to the most trivial-to-exploit vulnerabilities, not the most complex, and there’s always opportunities for innovative bugs. Our team genuinely loves reading and responding to your reports, and looks forward to working with you in the future.