Skip to main content

Bug Bounty

Blip 110 Copy

Transactional online businesses are prime targets for hacker activity. Mostly for profit, but also to disrupt the markets those businesses operate on, among many other diverse crimes, malicious players and automated bots continuously prod Flutter’s brands online surface looking for a single weakness they can abuse.

To protect its clients and assets, Flutter has multiple information security teams distributed across its locations. Blip’s office in Porto is the main location for two: the Information Security Engineering team, that builds and manages our security tooling, and the Security Testing team, which provides penetration testing, red teaming and general vulnerability detection capabilities for our online estate.

One of the tasks we (the Security Testing team) are best known for internally is the management of Flutter’s Bug Bounty program, started by us in 2018 and managed through the HackerOne (H1) platform. Before 2018, if a hacker were to find a vulnerability in one of our products, they would report it to us by email, a process that would not scale and was difficult to manage. To improve it we decided to begin a formal Bug Bounty program. We evaluated several online bug bounty platforms and eventually selected H1.

HackerOne enabled us to attract top talent among security researchers and maintain a communication channel with them through the platform. At the same time, it allowed us to establish clear rules of engagement for researchers, and it supported the management of each reported vulnerability, from triage to closure. Significantly, H1 also supports monetary bounties, so we can reward the work of security researchers and support their efforts on responsible disclosure.

In 2018 we started a small, private program, inviting 20 of the best H1 researchers to test our main websites. During the next four years, we gradually grew this program into a fully open Bug Bounty. Today, the program encompasses the online surface of two of Flutter’s major brands. We offer a maximum of $3000 per valid report, and anyone can report a vulnerability and be eligible for a bounty. So far, we collaborated with over 250 hackers who have made a positive contribution to the maturity of our security posture and the confidence we have on our security controls.

Successfully running a bug bounty program is a communal effort, with ramifications that reach way beyond the global Flutter security team. When a vulnerability is reported to us, we work with our SOC and the on-call personnel to triage reported issues and respond in the right timeframe to valid reports. Occasionally we have received reports of some unexpected vulnerabilities, from a zero-day RCE (CVE-2019-19781) we reported to Citrix, to complex chained vulnerabilities, so once we triage the vulnerability as valid, we pass it onto the relevant teams, working together with them to understand the issue, identify any impact, and establish how it can be fixed.

In the end, the continuous work and close support of our development and infrastructure teams are at the core of what makes our Bug bounty project successful, and the same happens with any other security issues we identify and work on. With new vulnerabilities in servers, frameworks, libraries, etc. being identified every day, a security team will always be outnumbered by the sheer number of malicious actors that are present, day and night, on the Internet. It is great to feel we are not alone in this battle; online and at Blip, we are surrounded by incredibly talented professionals that are right there by our side.

If you’d like to know more details about our bug bounty journey, check out this blog post

Blog Placeholder WRITTEN BY:
Blip

Related Articles

Blip Blipper 6

Integration Testing with Spring Boot and Testcontainers

Introduction As software grows and evolves, automated testing shifts from a luxury to an absolute necessity. Unit tests shine at ensuring each piece of the puzzle functions independently, but they can’t guarantee that the whole picture comes together

View More
IMG 0187

Experimentation in Large Organizations

The following article is based on a presentation that took place at the Product Weekend event on February 28th and March 1st, powered by Blip, where key topics on Product Management were discussed, offering valuable insights and reflections on the…

View More
Cactus Day1 088

Optimizing Django Performance: Database Bottlenecks

Introduction Optimizing a Django application, particularly the Django Admin interface, often presents unique challenges. While caching is commonly suggested to improve performance, it quickly becomes apparent that this approach may not be the most…

View More