Team,
I wanted to give you a bit of a background and some stats for a program that we have been running in Engineering for the past few weeks to improve the security of our websites, services and users. It's called a Security Bug Bounty and is publicly advertised under https://artsy.net/security.
It's an opportunity to be a true, publicly recognized hacker without the FBI ever showing up at your door.
A security bug bounty is a formal program for independent security researchers to find bugs in our systems that may cause data loss, account takeovers, spam or other kinds of abuse. If you play by our rules, we pay a small bounty (often 50$) for every new bug found. We might also send you Artsy swag and we will list your name on artsy.net/security if you wish.
Because we, obviously, really care about our users' privacy and security.
Because security is complicated and we can't count on just ourselves to find and prevent all the issues. Furthermore, security research is a professional specialty much like being able to code a website, so some are better than others at it.
Definitely not the first time! Aside of general development practices around security and a lot of peer review of code that is involved we have, in the past, had an independent security review by a firm called ... .
In the past 3 weeks we have had X separate security bugs reported by Y different security researchers and have fixed Z separate issues. The others are acceptable risk or have been reviewed and deferred for other reasons.
There weren't any severe or catastrophic bugs, however there were some easily exploitable issues in a category called cross-site-scripting that could relatively easily hijack user accounts if you could trick people to click on a link in, for example, in a very legitimately looking email.
So far we have paid
For example, we don't ask user to verify their emails. So you can signup as barak.obama@whitehouse.gov to Artsy, but you're obviously not the president of the United States. Confirmations just confused users.
Absolutely. Just recently Twitter launched theirs, there's a Forbes article about it: http://www.forbes.com/sites/kashmirhill/2014/09/10/bug-bounty-programs. Big companies usually have much higher payouts, with Facebook known to have paid out $32,000 for a single vulnerability once and Microsoft having a $100,000 prize for hacking a database server application. Lots of small companies do it on their own sites or through programs run on websites like http://hackerone.com.
A security bug bounty is a lot of work, including going through hundreds of email threads so far sorting issues out and replying to every single person reporting something, often a dup.
Sometimes inviting hackers and thanking them publicly also means telling the world that we do have security bugs. Some people can see that as advertising our failures, however we'd rather find the security bugs and not be hacked, which would have much worse reputation consequences.
We just recently rolled this out and everything can be improved.
Please do feel free to ask any questions!
cheers dB.