Skyscanner's Adventures in Bug Bounties
Skyscanner has a culture of innovation and continuous improvement. For our IT security function, the ‘Security Squad’, it is no different. External security testing had previously taken the form of standard penetration testing, which brought considerable value and helped improve security posture. However, our Squad wanted to look at new ways of testing the products that we help secure on a daily basis. In early 2015, we began to investigate the possibility of a crowd-sourced testing mechanism.
The Bugcrowd Flex
The Flex scheme provided Skyscanner with 49 skilled researchers from around the globe. For two weeks, these researchers tested Skyscanner.net and followed a set of criteria set out by Skyscanner’s Security Squad.
Over 140 bugs were found, which Bugcrowd reviewed and triaged 43 for the Squad to investigate.
The 43 bugs were allocated a priority number, allowing Skyscanner to quickly determine which bugs needed to be fixed first. A considerable advantage of the scheme was the reporting aspect. Researchers would not only disclose the bug, but the replication steps (some with videos and pictures showing how it was found), HTTP requests, attack strings and a plethora of other useful information. This gave our Engineering squads information to replicate quickly and fix where necessary.
The highest bounty was $2,000 for a high priority bug. Not a bad day’s work!
The reaction across the business was wholly positive and it has proven to significantly improve Skyscanner’s product security, engagement and response.
Read the full post here.