One pioneer supporter of bug bounty programs in South-east Asia reflects on its five-year journey in securing customer data.

The security team at ridesharing/food delivery/payments firm Grab recently published a blog post highlighting their five-year journey of customer data protection.

The blog authors—Ajay Srivastava, Aniket Kulkarni, Avinash Singh and Nathaniel Callens—related how they decided to innovate by being one of the pioneers (in South-east Asia) to implement a hacker-powered security program privately in 2015.

When the results proved encouraging, the team went public with the program in Aug 2017, offering competitive rewards and additional bonuses if hacker reports were well-written and displayed an innovative approach to testing. This helped to resolve nearly 450 valid vulnerabilities via the efforts of over 200 ethical hackers.

Fast forward to 2020, and the team is still a champion of bug bounties. Their blog takes readers through a five-year journey with the following milestones:

  1. Response time: No researcher wants to work with a bug bounty team that does not respect the time they invest into the program. We initially did not have a formal process around response times because we wanted to encourage all security engineers to pick up reports. But since we knew which processes worked for us in this area, we are able to consistently deliver a first response to reports in a matter of hours, which is significantly lower than the top 20 bug bounty programs running on HackerOne.
  2. Time-to-bounty: In most bug bounty programs, the payout for a bug is made in one of the following ways: full payment after the bug has been resolved; full payment after the bug has been triaged; or paying a portion of the bounty after triage and the remaining after resolution. We opt to pay the full bounty after triage. While we are always working to speed up resolution times, that timeline is in our hands, not the researcher’s. Instead of making them wait, we pay them as soon as impact is determined to incentivize long-term engagement in the program. Our average time to bounty is five days, which makes our program one of the fastest among the top 20 bug bounty programs on HackerOne.
  3. Noise reduction: With HackerOne Triage and Human-Augmented Signal, we are able to focus our team’s efforts on resolving unique, valid vulnerabilities. Human-Augmented Signal flags any reports that are likely false-positives, and Triage provides a validation layer between our security team and the report inbox. Collaboration with the HackerOne Triage team has been fantastic and ultimately allows us to be more efficient by focusing our energy on valid, actionable reports.
  4. Team coverage: We have introduced a team scheduling process. Each week, we assign a security engineer to review and respond to bug bounty reports. We have integrated our systems with HackerOne’s API and PagerDuty to ensure alerts are for valid reports and verified as much as possible.

The firm realized early on that ethical hackers could have tremendous impact on the security of their technology. By first establishing a private bug bounty program and transitioning to a public program, they were able to ‘crawl, walk, run’ and scale security efforts according to their own pace.

Through this tentative strategy, the team saw that ethical hackers brought non-stop testing far beyond what any internal security team could accomplish alone, and that blanket of coverage extended downstream into engineering and development, adding another ‘guardrail’ on the software development lifecycle.

More hits than misses?

Given this year’s tumultuous events that triggered massive surges in cyberattacks, Grab’s security team is understandably proud about how they cybersecurity direction has helped the team prioritize fixing the most impactful vulnerabilities and minimizing the window of opportunity for malicious attacks.

By integrating the data from the bug bounty program into their development workflows, the firm has been able to identify, prioritize, and respond to threats in real time while creating more secure products. Notwithstanding some glitches in their data privacy record which include small fines for four breaches in two years, the team is obviously happy that things could have gone much worse.

Comparatively, much heavier fines for data breaches in Singapore amounted to S$1m meted out to Integrated Health Information Systems and SingHealth for exposing the data of more than 1.5m patients.