Cybersecurity has to move quickly. Attackers only need seconds to find and exploit a vulnerability. As Forbes reported in 2021, a cybercriminal takes around 9.5 hours to obtain illegal access to a target’s network. Every minute a company fails to act gives hackers a chance to cause greater damage.
Ardoq is no exception. As we scale and grow, our security must also keep pace to ensure our data is protected. We've worked hard to obtain and maintain our regular SOC 2 attestation and ISO 27001:2017 certification. To put these defenses to the test, our CEO Erik Bakstad initiated Ardoq’s Bug Bounty Program in 2016.
The program, managed by HackerOne, is one of many steps in our secure development strategy. HackerOne works with ethical hackers to test their skills by searching for bugs in our code in exchange for a “bounty payment” for their work. These hackers are thoroughly vetted and subjected to constant reviews, having committed to a stringent set of ethical standards prior to starting any projects with HackerOne. Hacker-powered security research is a part of our security lifecycle and is key for our ongoing commitment to security for our customers.
Ardoq’s Bug Bounty Program
Cybersecurity is an essential part of organizational strategy. We leverage conventional tools, such as running automated security checks, as part of our vulnerability management strategy. If these tools aren’t able to detect high-risk and more subtle vulnerabilities, we want an extra level of security. Hacker-powered security crowdsources the knowledge and skills of ethical hackers to provide Ardoq with continual security testing. The program has also generated excellent data that allows us to measure the effectiveness of our security activities. But how does it work?
All About Bugs
At Ardoq, we’re constantly developing and updating our code - changes that mean we can continually improve our product. After changes have passed our stringent internal testing, they’re launched into our production environments, giving our customers the most up-to-date version of our software whenever they access our platform.
However, no code is perfect. Errors can creep in while developers are building and adjusting features. Such errors occur in several forms and have different consequences, from needing simple fixes to more problematic bugs that require urgent repair. For example, a mistake in the code could make a number on a form incorrectly show up as a date. A more serious bug might inadvertently change the access rights of someone in the system and grant access to information that is protected or off-limits to them.
Security bugs can threaten a system’s security and create a “vulnerability.” When it comes to vulnerabilities, the stakes are high. Just how high depends on how the vulnerability is categorized; this is often based on how easy it is for someone to exploit it and how much damage that would cause.
This is where the bounty part of our Bug Bounty program comes in. The program enables us to have an ongoing process to find, identify, and fix vulnerabilities that can inevitably appear in all systems.
Since launching the program in 2016, Ardoq has offered levels of rewards or “bounties” to hackers who can help us find problems in our systems. These are awarded proportionate to the level of risk presented by the bug that they find. So while some are just “good to know” and don’t present any immediate danger, other bugs could pose a higher risk.
Although hacking can be fun and rewarding, it takes skill and time to test large complex platforms properly, so we feel ethical hackers deserve their “bounty” as a reward for this work. After all, it’s vital to identify and fix these bugs before someone with malicious intent tries to exploit them.
Using Bounties vs. Not Using Bounties
For many companies, it can feel uncomfortable inviting ethical hackers to look at their systems. You’re essentially inviting people to find potentially serious security issues in your software. However, it’s likely that there are already people out there trying to break your systems, and not all of them will have good intentions. “Black Hat” hackers are constantly looking for vulnerabilities in systems to exploit, sometimes to demonstrate their skills, and sometimes to sell to others with potentially larger and more nefarious motives via the dark web.
On the flip side, “White Hat”, or ethical, hackers are motivated to find security issues so they can be fixed, and a Bug Bounty program gives them both a mechanism to report what they find and a way to be rewarded for their efforts. While some companies have mechanisms to enable ethical hackers to disclose security issues responsibly, we believe the bounty payment is a good way to incentivize and acknowledge the work of external experts. Importantly, it also helps us mitigate our security risk.
Rules of the Game
With great transparency comes great responsibility - the program has a policy that tells hackers what they can and can’t do. HackerOne manages a specially curated list of hackers to ensure that the program and hackers align with our ethics. They also help us triage the reported bugs by reviewing what has been reported and validating that they are real vulnerabilities.
The program's structure gives us a filter that allows us to explore vulnerabilities and assess their severity through Ardoq’s internal processes. When a hacker reports a medium or high vulnerability issue, HackerOne will check it for us and filter out some of the noise that can come with having a public program.
Getting to the Root of What We Can Improve
Having ethical hackers test our code happens after we’ve already subjected it to several internal checks before it’s deployed into our production environment. This shows us how well our engineering process is working and allows us to identify ways to improve.
Root Cause Analysis
We encourage openness in our engineering team and provide a safe space for people to discuss what we can improve. When a significant bug is found, we invite everyone to sit down and talk through what the hacker was able to do. Sometimes we apply something like the “Five Whys” method: we keep applying “why” questions until we have a root cause. As a fictional example:
- Why were they able to do X?
- ⇢It's because this piece of code allowed them to.
- Why did that piece of code allow them to do it?
- ⇢Because the code assumed that if they got to here, they should have been allowed to do it.
- Why does it make that assumption?
- ⇢Because it relied on outdated authorization logic that should have been updated during a recent refactoring effort.
- Why did we not update the authorization logic during refactoring?
- ⇢Because we missed it while testing.
- Why did we miss it during testing?
- ⇢Because our test suite doesn’t cover this type of use case.
In the above example, a reasonable call to action would be to ensure we update our automated tests to always check that the authorization logic is correct (i.e. regression testing). To avoid a similar issue from popping up elsewhere, it also makes sense to take the learnings from this bug and apply it in other instances it might arise.
Using the Bug Bounty Program for Discover
When we launched our Discover module earlier this year, we ran a special campaign to attract more bounty interest. We invited our HackerOne community to target our new Discover features. In return, we would give them a bonus as part of our bounty payments. Although no serious issues were uncovered, we still found it a rewarding experience.
The relatively small number of issues reported is both a credit to Ardoq’s developers and our security awareness, and proves the value of having bold ways to approach our security. We also found that researchers who perhaps hadn’t looked at our platform before became interested, which we hope will lead to more engagement.
Using the Bug Bounty program has improved how we balance the speed of our developments while maintaining a high level of security for our customers. In addition, the program allows Ardoq the ability to continually monitor our security by leveraging the power of crowd-sourced and ethical hacking. The program has empowered us by driving our security research and contributing to the overall strength of our security lifecycle.
Nick Murison is Ardoq’s Chief Information Security Officer. He is passionate about helping Ardoq to meet our customers’ needs - safely and securely.