I wanted to give you a bit of a background and some stats for a program that we have been running in Engineering for the past few weeks to improve the security of our websites, services and users. It's called a Security Bug Bounty and is publicly advertised under https://artsy.net/security.
What is it?
It's an opportunity to be a true, publicly recognized hacker without the FBI ever showing up at your door.
A security bug bounty is a formal program for independent security researchers to find bugs in our systems that may cause data loss, account takeovers, spam or other kinds of abuse. If you play by our rules, we pay a small bounty (often 50$) for every new bug found. We might also send you Artsy swag and we will list your name on artsy.net/security if you wish.
Why do we do it?
Because we, obviously, really care about our users' privacy and security.
Because security is complicated and we can't count on just ourselves to find and prevent all the issues. Furthermore, security research is a professional specialty much like being able to code a website, so some are better than others at it.
Is it the first time we care?
Definitely not the first time! Aside of general development practices around security and a lot of peer review of code that is involved we have, in the past, had an independent security review by a firm called ... .
So, any results?
In the past 3 weeks we have had X separate security bugs reported by Y different security researchers and have fixed Z separate issues. The others are acceptable risk or have been reviewed and deferred for other reasons.
What's the worst thing that security researchers found?
There weren't any severe or catastrophic bugs, however there were some easily exploitable issues in a category called cross-site-scripting that could relatively easily hijack user accounts if you could trick people to click on a link in, for example, in a very legitimately looking email.
How much did we pay in prize money?
So far we have paid $... total to N individuals. The highest single payout has been $... for a collection of issues.
What kind of security bug is acceptable risk that we don't fix?!
For example, we don't ask user to verify their emails. So you can signup as email@example.com to Artsy, but you're obviously not the president of the United States. Confirmations just confused users.
Do others have similar programs?
Absolutely. Just recently Twitter launched theirs, there's a Forbes article about it: http://www.forbes.com/sites/kashmirhill/2014/09/10/bug-bounty-programs. Big companies usually have much higher payouts, with Facebook known to have paid out $32,000 for a single vulnerability once and Microsoft having a $100,000 prize for hacking a database server application. Lots of small companies do it on their own sites or through programs run on websites like http://hackerone.com.
What are the downsides?
A security bug bounty is a lot of work, including going through hundreds of email threads so far sorting issues out and replying to every single person reporting something, often a dup.
Sometimes inviting hackers and thanking them publicly also means telling the world that we do have security bugs. Some people can see that as advertising our failures, however we'd rather find the security bugs and not be hacked, which would have much worse reputation consequences.
We just recently rolled this out and everything can be improved.
Please do feel free to ask any questions!