Grab celebrates 5 years on HackerOne
By Digital News Asia December 18, 2020
- 450 valid vulnerabilities thanks to efforts of over 200 ethical hackers
- Ethical hackers could have key impact on security of their technology
Five years ago, leading rideshare, food delivery, and payments company Grab, became one of the first companies in Southeast Asia to implement a hacker-powered security programme. Though it started as a private programme, Grab launched their public bug bounty in 2017. In just three years Grab became one of the Top 20 bug bounty programs on HackerOne worldwide, resolving nearly 450 valid vulnerabilities thanks to the efforts of over 200 ethical hackers.
To celebrate, Grab’s security team published a blog post highlighting their journey from private to public bug bounty programme. The following are some learnings as described by Grab’s security team:
Response Time: No researcher wants to work with a bug bounty team that doesn't respect the time they invest into the programme. Grab initially didn't have a formal process around response times because it wanted to encourage all security engineers to pick up reports. But since it knew which processes worked for it in this area, Grab was able to consistently deliver a first response to reports in a matter of hours, which is significantly lower than the top 20 bug bounty programmes running on HackerOne.
Time to Bounty: In most bug bounty programmes, the payout for a bug is made in one of the following ways: full payment after the bug has been resolved, full payment after the bug has been triaged, or paying a portion of the bounty after triage and the remaining after resolution. Grab opted to pay the full bounty after triage.
While its security team is always working to speed up resolution times, that timeline is in their hands, not the researcher's. Instead of making them wait, Grab pays them as soon as impact is determined to incentivise long-term engagement in the programme. Grab’s average time to bounty is 5 days, which makes their programme one of the fastest among the top 20 bug bounty programmes on HackerOne.
Noise Reduction: With HackerOne Triage and Human-Augmented Signal, Grab has been able to focus its team's efforts on resolving unique, valid vulnerabilities. Human-Augmented Signal flags any reports that are likely false-positives, and Triage provides a validation layer between its security team and the report inbox. Collaboration with the HackerOne Triage team has been fantastic and ultimately allows Grab to be more efficient by focusing their energy on valid, actionable reports.
Team Coverage: Security introduced a team scheduling process. Each week, they assigned a security engineer to review and respond to bug bounty reports. Grab has also integrated its systems with HackerOne’s API and PagerDuty to ensure alerts are for valid reports and verified as much as possible.
Grab realised early on that ethical hackers could have tremendous impact on the security of their technology. By first establishing a private bug bounty programme and transitioning to a public programme, they were able to ‘crawl, walk, run’ and scale security efforts according to their own pace. They saw that ethical hackers bring non-stop testing far beyond what any internal security team could accomplish alone; and that blanket of coverage extends downstream into engineering and development, adding another “guardrail” on the software development lifecycle.
Grab’s bug bounty programme has helped the team prioritise fixing the most impactful vulnerabilities and minimise the window of opportunity for malicious attacks. By integrating the data from the bug bounty programme into their development workflows, Grab has been able to identify, prioritise, and respond to threats in real time while creating more secure products.
Grab also gave a shoutout to the programme’s top-earning hackers:
Overall Top 3 Researchers
Year 2019/2020 Top 3 Researchers
The security team also gave a special shoutout to @bagipro who has done some great work and testing on Grab mobile applications.
If you want to learn more about Grab’s bug bounty programme or want to submit a vulnerability report, visit https://hackerone.com/grab.
For more information about getting started in bug bounty programmes, check out The Beginner’s Guide to Bug Bounty Programs.