We invited 40 of the world’s best security researchers to hack our products. Here’s what happened.
By Chris Nims, CISO and Paranoid in Chief
The security of Oath, its brands and our users is a top priority for us. Our dedicated security team - known as the Paranoids - continuously strives to keep our systems safe and secure amid evolving global threats. The Paranoids also have partners. Part of our approach to security involves attracting highly-skilled security researchers to test the resiliency of our platforms. Bug bounty has been a popular program that thousands of security researchers from around the world engage with to help keep our platforms secure, and they have been tremendously successful. Today we have some news about Oath's bug bounty program.
Introducing Oath's Unified Bug Bounty Program
Today Oath is formally launching its unified bug bounty program. To date across our four existing programs, we have more than 3,000 researchers globally and over $3 million paid in bounties over the past four years. Up until now, however, our programs have been divided across AOL, Yahoo, Tumblr and Verizon Digital Media Service (VDMS). Our new program will combine our existing bug bounty operations into one united program, establishing a foundation to expand our program in the future.
Operated on our partner platform HackerOne, security researchers will be able to work on the AOL, VDMS and Tumblr properties on an invite-only basis, while the Yahoo properties will be open to the public. Importantly, every Oath property is under the purview of the unified program.
Oath's First Live-Hacking Event
To kick off our efforts, on Saturday, April 14, Oath and HackerOne gathered 40 of the best hackers from around the world in San Francisco for H1-415, a live-hacking event to legally hack Oath's systems. The goal? To attempt to identify as many vulnerabilities as possible and patch them. The event proved to be highly effective with more than $400,000 in bounties paid out from nine hours of hacking.
Surfacing vulnerabilities and resolving them before our adversaries can exploit them is essential in helping us build brands people love and trust. Whether they had been participating in our programs for years or were looking at Oath assets for the first time, it was empowering to witness the dedication, persistence and creativity of the hacker community live and in-person. We really felt the excitement and enthusiasm throughout H1-415.
More here on the results of the event from our partner HackerOne.
HackerOne also hosted over 40 middle and high school students from the Bay Area. Senior Paranoid in charge of engagement, Manju Mude participated on a career panel and answered the students' questions about working in the cybersecurity industry. While we're focused on attracting seasoned security researchers, we're also honored to give back and encourage the next generation of aspiring security leaders.
We believe our bug bounty program offers some of the most competitive rewards. We primarily assess impact of a vulnerability when it comes to determining payout. We take into account what data might have been exposed, the sensitivity of that data, the role that data plays, network location and the permissions of the server involved. Those factors are of great importance and tell us what a bug could have allowed an adversary to do and where. It's why we recommend that our security researchers include thorough explanations with their bug reporting.
Nuts and Bolts
If you're a security researcher looking to learn more, visit our new Oath bug bounty program page at HackerOne for specifics on program guidelines, rewards and more.
It's our hope that with this unified bug bounty program, we will continue to increase the effectiveness of outside reporting and ultimately the security of Oath and its users.