The Good Tech Companies - Strengthening Cybersecurity: Breaking Down inDrive’s Bug Bounty Program
Episode Date: December 11, 2024This story was originally published on HackerNoon at: https://hackernoon.com/strengthening-cybersecurity-breaking-down-indrives-bug-bounty-program. Learn how inDrive's b...ug bounty program strengthens cybersecurity by collaborating with white hat hackers to detect vulnerabilities and optimize security process Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #bug-bounty, #security, #white-hat-hackers, #vulnerabilities, #information-security, #cyber-security-awareness, #bugbounty, #good-company, and more. This story was written by: @indrivetech. Learn more about this writer by checking @indrivetech's about page, and for more stories, please visit hackernoon.com. InDrive’s bug bounty program strengthens cybersecurity by collaborating with white hat hackers to detect vulnerabilities and optimize security processes. We use automatic integration with Slack and Jira to make this process fast and efficient. We would also like to point out that you should not limit yourself to the bug Bounty program, as it is not a panacea for solving all security problems.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
Strengthening Cybersecurity, Breaking Down InDrive's Bug Bounty Program
By InDrive, Tech.
Hash hash learn how InDrive's Bug Bounty Program strengthens cybersecurity by collaborating with
white hat hackers to detect vulnerabilities and optimize security processes.
Introduction in a world where digital technology is infiltrating every
aspect of our lives, cyber security is of paramount importance. Companies around the
world are investing heavily in protecting their data and systems from cyber threats.
One of the most effective methods of strengthening security is to work with
independent security experts, also known as white hat hackers. This article will be useful for
companies that are
planning to launch a bug bounty program or have already launched one. We will share our experience
in organizing and developing the bug bounty program at InDrive and how it has helped strengthen our
cybersecurity. We would also like to point out that you should not limit yourself to the bug
bounty program, as it is not a panacea for solving all security problems. Bug bounty can help you
identify some vulnerabilities, but it does not cover the full range of possible threats.
You need to take a comprehensive approach to security that includes the use of various
security tools and techniques. As the graph below shows, different tools detect different
numbers of vulnerabilities, which emphasizes the importance of combining methods such as automated scanners, static and dynamic code analysis, security audits, and employee
training. Beginning initially, our bug bounty program worked in closed mode. This allowed us
to control the flow of bug hunters, gradually send out invitations and track the results.
This approach gave us the opportunity to quietly debug and improve internal processes.
Thanks to this, we were able to prepare for going public.
Integration and triage identifying vulnerabilities in a bug bounty program is a key step.
We use automatic integration with Slack and Jira to make this process fast and efficient.
Slack we use two channels.
The main channel for communicating key events in report processing.
This includes notifications of new reports, task assignments to engineers, and vulnerability
disclosure requests. This channel allows the team to always be aware of critical events.
An additional channel is for employees involved in the initial analysis and triage of reports.
Notifications of non-urgent activities such
as report comments and triage details are sent here. Account matching, setting up a mapping
between HackerOne and Slack users ensures that important comments and report notes are directly
delivered to the responsible parties, minimizing the risk of missing important information.
This simplifies communication between the InDrive security team and researchers, facilitating more effective vulnerability remediation.
JIRA integration with JIRA allows you to create a task only in the right place with a specific set of fields.
Using the JIRA automation functionality, we created our own task processing rules to improve our internal vulnerability handling processes, allowing us to efficiently organize this process.
Below is an example of this automation. Found by automation, the system automatically populates
the found by field with the bug bounty value, indicating the origin of the task for analytics.
Task assignment. Using rules, a task is automatically assigned to an engineer,
ensuring even distribution of work. Slack notifications.
When a task is assigned, a notification is sent to Slack that mentions the engineer and provides
all the necessary information. For critical vulnerabilities. Messages to a dedicated Slack
channel. Notification of a critical vulnerability is sent to a separate channel for immediate
response. Sending SMS messages. In addition,
SMS notifications are sent to the responsible persons. Fighting spam with triggers
Triggers in HackerOne are a powerful tool that allows you to automate various actions in response
to certain events related to new vulnerability reports. They greatly simplify the work of the
security team and help optimize the process of responding to reports.
For example, when rebranding the company from Indriver to Indrive, we often encountered reports of problems with social media accounts. We customized the trigger as follows. Trigger
condition. If the report contains words from the list, media, social, Facebook, Twitter, Instagram.
Trigger action. When the specified condition is detected,
a pop-up window with the following warning text is automatically displayed to the researcher.
Hi, it looks like you are about to report an issue with social media links, Instagram,
Twitter, Facebook. Our company is in the process of rebranding and we are aware of this issue.
We are temporarily not accepting reports for this issue, so we urge you to properly
acknowledge the issue and familiarize yourself with the security policy before proceeding and
submitting a report. This not only helps to reduce the number of inappropriate reports but also
educates researchers, improving the quality of future reports. Campaign and Telegram channel
we understood that over time the activity in the program would decrease. This is a natural process due to the fact that the most obvious vulnerabilities have
already been found and eliminated, and attracting the attention of researchers again requires
additional efforts. To maintain a high level of engagement and interest in our program,
we took a number of measures. One of the key tools was our specialized telegram channel for
bug hunters. This channel
serves not only as a means of communication but also as a platform for sharing useful information.
We actively share information about our application and provide materials that can
help researchers find vulnerabilities in our services. This may be technical documentation,
descriptions of new features, or architectural changes that may be of interest
from a security point of view. Key benefits of our Telegram channel. Official updates,
direct and reliable news from the InDrive security team. New feature announcements.
Information about new services and features that may be of interest to Bug Bounty enthusiasts.
Promotions and events. Information about special offers and events related to the
Bug Bounty Program. More information about the channel can be found by following the link
https colon slash slash t me in drive underscore bbp. In addition, to attract both new and
experienced bug hunters, we regularly launch campaigns on the HackerOne platform. Campaigns
allow us to stimulate bug hunter centrist in our program.
We also announce all campaign launches via our Telegram channel,
which allows us to quickly convey information to the audience and encourage them to participate.
For example, below are statistics from one of the campaigns.
These measures allow us to keep interest in the bug bounty program at a high level,
ensuring a constant flow of fresh ideas and findings, which ultimately contributes to improving the security of our
products. Our tips will help you dramatically improve your time to every stage of vulnerability
processing, from time to first response to triage to time to bounty. And this, in turn,
will increase the trust and satisfaction of the bug hunters participating in your program.
In conclusion, our experience in organizing and developing a bug bounty program at InDrive is a vivid example of how hiring external security experts can significantly strengthen a company's
cyber defense. Thanks to our community of white hat hackers, we were not only able to identify
and remediate many vulnerabilities but also optimized our internal processes, which increased our efficiency and improved the protection of our systems and data.
We thank all participants of our Bug Bounty program for their invaluable contribution to
InDrive's security and invite new researchers to join our community. Together, we will make
the digital world safer. Thank you for listening to this Hackernoon story, read by Artificial
Intelligence. Visit hackernoon.com to read, write, learn and publish.