Transactional online businesses are prime targets for hacker activity. Mostly for profit, but also to disrupt the markets those businesses operate on, among many other diverse crimes, malicious players and automated bots continuously prod Flutter’s brands online surface looking for a single weakness they can abuse.
To protect its clients and assets, Flutter has multiple information security teams distributed across its locations. Blip’s office in Porto is the main location for two: the Information Security Engineering team, that builds and manages our security tooling, and the Security Testing team, which provides penetration testing, red teaming and general vulnerability detection capabilities for our online estate.
One of the tasks we (the Security Testing team) are best known for internally is the management of Flutter’s Bug Bounty program, started by us in 2018 and managed through the HackerOne (H1) platform. Before 2018, if a hacker were to find a vulnerability in one of our products, they would report it to us by email, a process that would not scale and was difficult to manage. To improve it we decided to begin a formal Bug Bounty program. We evaluated several online bug bounty platforms and eventually selected H1.
HackerOne enabled us to attract top talent among security researchers and maintain a communication channel with them through the platform. At the same time, it allowed us to establish clear rules of engagement for researchers, and it supported the management of each reported vulnerability, from triage to closure. Significantly, H1 also supports monetary bounties, so we can reward the work of security researchers and support their efforts on responsible disclosure.
In 2018 we started a small, private program, inviting 20 of the best H1 researchers to test our main websites. During the next four years, we gradually grew this program into a fully open Bug Bounty. Today, the program encompasses the online surface of two of Flutter’s major brands. We offer a maximum of $3000 per valid report, and anyone can report a vulnerability and be eligible for a bounty. So far, we collaborated with over 250 hackers who have made a positive contribution to the maturity of our security posture and the confidence we have on our security controls.
Successfully running a bug bounty program is a communal effort, with ramifications that reach way beyond the global Flutter security team. When a vulnerability is reported to us, we work with our SOC and the on-call personnel to triage reported issues and respond in the right timeframe to valid reports. Occasionally we have received reports of some unexpected vulnerabilities, from a zero-day RCE (CVE-2019-19781) we reported to Citrix, to complex chained vulnerabilities, so once we triage the vulnerability as valid, we pass it onto the relevant teams, working together with them to understand the issue, identify any impact, and establish how it can be fixed.
In the end, the continuous work and close support of our development and infrastructure teams are at the core of what makes our Bug bounty project successful, and the same happens with any other security issues we identify and work on. With new vulnerabilities in servers, frameworks, libraries, etc. being identified every day, a security team will always be outnumbered by the sheer number of malicious actors that are present, day and night, on the Internet. It is great to feel we are not alone in this battle; online and at Blip, we are surrounded by incredibly talented professionals that are right there by our side.
If you’d like to know more details about our bug bounty journey, check out this blog post