Skip to content

Bug Bounty Program at Factorial

·
3 min read
bug-bounty-program

One of our highest priorities here at Factorial is to guarantee the security of our infrastructure and our clients’ data. We’re picky about which tools we use, and we only work with the most effective ones to meet our high security standards. 

Thanks to our diverse and highly qualified security team specialised in multiple branches, we are able to:

  • Cover the entire attack surface of our platform. 
  • Monitor attacks 24/7.
  • Perform security tests internally before new functionalities go into production. 
  • Train developers on the OWASP Top 10 [1].
  • Investigate new 0-days [2]. 

In this article, we’ll focus on two fundamental concepts: the Vulnerability Disclosure Policy (VDP) and the Bug Bounty Program (BBP). It’s our view that every single company should adopt at least one of these two.

What is a VDP?  

A Vulnerability Disclosure Program (VDP) is a program that provides clear guidelines on how an organisation would like to be notified about potential security vulnerabilities found by third parties or external hackers. Its goal is to give ethical hackers instructions about reporting a vulnerability so they can be guided to the right team to solve it.

What is a BBP?  

On the other hand, a Bug Bounty Program (BBP) incentivises external third parties or hackers to find security vulnerabilities in an organisation and report them directly to be fixed safely and efficiently. Unlike VDPs, vulnerability finders are rewarded with monetary prizes.

Why a VDP is Essential to Every Business 

It’s best practice to have a public-facing Vulnerability Disclosure Policy as it encourages others to report security vulnerabilities. When an ethical hacker finds a security flaw in third-party systems, the hacker has two options. They can either report it to the security team and risk being investigated for this action (even if well-intended), or they keep it to themselves to avoid these potential repercussions.

If the ethical hacker decides on the latter, the organisation’s security and users are endangered, highlighting the fragility of their security strategy. What’s to stop a cybercriminal targeting the same vulnerability and exploiting it maliciously? 

It’s common for ethical hackers to decide against reporting their findings to avoid legal risks. This can have a direct and often tragic impact on an organisation, resulting in costly incidents such as ransomware. 

A VDP can fortify the cyber-security of an organisation and negate these risks. VDP’s should focus on 5 key points:

  1. Purpose: Start with why your company has a VDP and the importance of upholding it. 
  2. Scope: List available properties and types of vulnerability you’re interested in. This grants hackers visibility into the assets and shows the potential vulnerabilities they should be looking at.
  3. Safe harbour: Assure hackers that they won’t be legally sued or prosecuted for any vulnerabilities they find.
  4. Reporting process: Explain how hackers can submit security reports step by step and what kind of information is required in a submission.
  5. Evaluation of reports: Include the response times, depending on the severity and asset affected, whether hackers can publicly disclose vulnerabilities, or whether they need to wait for a confirmation email, etc.

Do We Have a Bug Bounty Program in Factorial?

We work with dozens of hackers at Factorial in our HackerOne’s private bounty program, which includes some of the top hackers in the world.  We currently limit our bounty program to a selected group of hackers, who are known for their high reputation and results levels. In doing so, we only receive quality reports from the top professionals in the field. 

HackerOne is a company that allows organisations to have their VDP or BBP on their platform, by which hackers send reports that can be evaluated by the internal security teams of each organisation. Once this report has been validated within a BBP, the hacker will receive a monetary remuneration reflective of how critical the reported vulnerability is.

Do We Have a Vulnerability Disclosure Program in Factorial?

Yes. For us, it’s essential to have a secure way to receive vulnerability reports from third parties. We’re also very excited to receive new security reports improving the security of our systems.

Any external hacker who finds a security issue can report it to us, even if they don’t participate in our private bug bounty program. Our VDP policy is available to anyone at https://hackerone.com/factorial. You can report potential security vulnerabilities to us at security@factorial.co and we’ll gladly review the reports.

 

References

[1] https://owasp.org/www-project-top-ten/

[2] https://en.wikipedia.org/wiki/Zero-day_(computing)

I’m Tarek, ethical hacker on the Factorial security team, and a part-time bug bounty hunter. I was recognized by large companies such as Google, PayPal and Twitter, for actively contributing to their security.

Related posts