Software giant Salesforce has revealed that it paid hackers over $2.8m (£2.05m/€2.46m) through its invite-only bug bounty programme in 2021, with more than 4,700 suspected vulnerabilities in its products reported through the scheme.
Bug bounties are now a well-accepted and widely-used tool among IT companies, benefiting from the skills of hackers to buy peace of mind that their products and services are secure, and Salesforce was one of the first such organisations to debut a bug bounty programme back in 2015.
This is the first public update it has ever provided on its bug bounty programme, which has awarded over $12m in total from over 22,000 reports in that time.
Chris Evans, CISO and chief hacking officer at HackerOne, Salesforce’s platform partner, said: “Salesforce represents a top-tier example of how a well-run bug bounty programme can make a significant, measurable impact on an enterprise’s overall security posture.
“Their security team also takes things a step further by proactively soliciting feedback from the community to improve the programme. Not only does this dedication define an industry-leading programme, but reflects Salesforce’s overall security maturity and commitment to staying ahead of security threats.”
Salesforce said the programme had shown its worth in helping it enhance preventative security efforts “from the inside out”, enabling its engineering teams to better understand how malicious actors operate.
“Being able to understand the methods the hackers use to find vulnerabilities allows me to employ the same methods to better secure our software,” said Anup Ghatage, a Salesforce software engineer.
Salesforce’s scheme operates within a controlled, non-production sandbox environment that mirrors real user functionality to let bounty hunters simulate attacks without the risk of exposing any customer data. All its products and feature changes move through the process after internal testing and before deployment.
“I was attracted to becoming an ethical hacker after starting my career as a developer,” said Inhibitor181, one of the hackers who participates in Salesforce’s bug bounty programme.
“Not only is it more stimulating and less monotonous to use my programming skills to legally hack into global companies’ products, but it also allows me to do my part in preventing cyber crime. Not all hackers are bad.”
Moving forward, Salesforce is planning a number of evolutions to its programme, engaging with a greater number of hackers to protect its widening portfolio, and bringing hacker-powered testing of its products forward within the overall development cycle.
As part of the latter move, it has recently introduced targeted monthly promotions offering multiplied bounties – up to triple the standard payout – in exchange for verified reports on a specific product. Its Trailhead Slack App, which was officially launched at the Dreamforce event in September, was “attacked” in this manner last summer.
The company said: “Salesforce is committed to advancing its bug bounty programme and partnering with ethical hackers. The ability to find and fix vulnerabilities before products are rolled out to users is core to Salesforce’s broader security initiatives and maintaining trust among its customers, partners, and entire ecosystem.”
The growth in Salesforce’s programme – which despite being seven years old has now paid out two-thirds of its bounties since 2019 – is reflected in the wider bug bounty “market”, for which 2021 was also a bumper growth year.
Data from Bugcrowd, a crowdsourced bug bounty specialist, showed that valid submissions and payouts for the most critical vulnerabilities were up significantly on its platform last year, particularly within the financial services sector. Payouts within the software sector, meanwhile, were up by 73%, it said.
This spike probably reflects digital transformation brought on by the pandemic, but Bugcrowd also believes market forces may be in play. It said uncovering critical vulnerabilities now provides tangible value to buyers and so it behoves software companies, such as Salesforce, to find them.