Adventures in Bug BountiesPosted on by Stuart Hirst
Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.
The First Painful Steps
The Bug Bounty journey was not initially a smooth one. A trial scheme with a third party resulted in researchers sending in automated scans (any security person worth their salt will know how easy this is to do!) and a battle with numerous researchers over bounties and out-of-scope bugs. This was a learning curve for Skyscanner too and we adjusted our requirements and scope for any future program, to avoid a repeat.
The Success Story
Then, a chance encounter on Twitter opened up dialogue between Skyscanner’s IT Security Manager and Bugcrowd in mid-2015. The initial scoping meetings were hassle-free and a two-week private Flex scheme was arranged for November 2015.
The Flex scheme provided Skyscanner with 49 skilled researchers from around the globe. For two weeks, these researchers tested Skyscanner.net and followed a set of criteria set out by Skyscanner’s Security Squad.
Over 140 bugs were found, which Bugcrowd reviewed and triaged 43 for the Squad to investigate.
The 43 bugs were allocated a priority number, allowing Skyscanner to quickly determine which bugs needed to be fixed first. A considerable advantage of the scheme was the reporting aspect. Researchers would not only disclose the bug, but the replication steps (some with videos and pictures showing how it was found), HTTP requests, attack strings and a plethora of other useful information. This gave our Engineering squads information to replicate quickly and fix where necessary.
The reaction across the business was wholly positive and it has proven to significantly improve Skyscanner’s product security, engagement and response.
We see bug bounty schemes as now vital to our security testing approach. In 2016, we will double our efforts in this space and increase the scope with which we allow researchers to test.
Penetration testing will not disappear from Skyscanner, it will continue to complement a mature testing strategy. However for the foreseeable future, bounties are here to stay too.
We aim to build training programs for engineers based on the findings of the bounty schemes, which will improve the security of our code and allow us to further develop our ‘Hack Yourself First’ approach.