1. News
  2. News

One Month of Learnings from Flo Health’s Bug Bounty Program: A Q&A with CISO, Leo Cunningham

The CISO of Flo Health knows that enabling our security team with the most advanced security testing methods is of the utmost importance to brand trust and user loyalty. CISO Leo Cunningham recently sat down with the team at HackerOne, the world’s most trusted hacker-powered security platform that gives organizations like Flo Health access to the largest community of hackers on the planet. Read on to see what Leo shared about the first 30 days of learnings from our bug bounty program,  how vulnerability findings help improve internal processes, and how the global hacker community helps Flo Health ensure the safety and security of personal data we process.

Before using HackerOne, we used to run penetration testing via a vendor. However, these traditional pentests limited us because we couldn’t access niche skill sets. We wanted to add a modern approach to what we were already practicing. Choosing HackerOne means we’re not limiting ourselves. We can open up our application and platform to the largest global community of ethical hackers. We wanted to reach a diverse community and pool of talent to push the boundaries, give us a better measure of our security, and detect vulnerabilities that could have been missed internally. By offsetting some of our vulnerability management and testing efforts, we have saved ourselves a huge amount of time and money.

The launch of the HackerOne program: some of the first successes

Launching the HackerOne program has allowed us to look at our internal processes and refine these to ensure maximum ROI and efficiency when dealing with multiple sources of vulnerability information.

In the first month of the program, we reached out to 200 people on the platform to see if they could test what we already put in place. So far,  we have had a couple of items disclosed. One of the bugs disclosed so far was a “low” vulnerability. This bug was already known to our security team and is a legacy item with no impact on Flo. Because the bug bounty submission was from another perspective, we decided to pay $200 for this as it was insightful to know how a hacker viewed this vulnerability. 

The interaction with the HackerOne team and with the hacker community has been great. HackerOne Triage verifies the findings before being submitted to us for review. This saves Flo so much time and reduces our efforts on checking items.

The hacker community is assisting us in achieving a position where we are as secure as we can be while allowing the business to operate as usual. This also helps us review current processes, Jira workflows and makes developers aware of security bugs. 

How hackers help spot vulnerability trends — and what happens next

Hackers can spend more time across a wide range of areas to understand our technology and product, then apply their niche skill set to help us paint a picture of any issues that need to be addressed, ultimately helping us maximize our ROI.

Once a bug has gone through HackerOne triage, we first fully validate the vulnerability ourselves, then add this to our vulnerabilities project, and if eligible, a bounty is paid out. From there, the relevant metadata is added, and the bug is sorted into a list of prioritized items to get fixed according to our internal SLA structure for remediation. The bug is then fixed and closed.

How to quantify the work with hackers

Working with the hacker community allows us to receive bugs that are not seen in traditional penetration tests and gives us a larger window of time in which to find these bugs. HackerOne provides the largest community of ethical hackers in the world, which makes it the best and biggest resource out there. The more hackers there are reviewing our items, the better.

Each company is different and has different needs, but in order to quantify working with hackers, I ask myself the following:

What do I currently spend on external penetration tests, and what level of coverage do I get? If I want exposure to a large community of hackers who live and breathe security testing, would this option give me more scope on tests for my product?

Am I time-boxed with internal or external testing? If so, this adds additional pressure when you can freely open up your product (within a restricted and secure space) and allow hackers to take their time and spend longer on testing.

Having a bug bounty program is great from the brand perspective. It shows the world that you are investing in security and that you are open to a varied and wide community of testers who dedicate their time finding security bugs that could seriously impact your company if found by a malicious hacker.

How to measure the value of data security

At our core, we are a platform that relies on very sensitive data, and our customers need to be able to trust us with this information. Like all companies, a data breach has the potential to cause a lot of damage. Flo, as a result, has a very strong focus on security at all levels, and HackerOne is a crucial part of this process.

Success for us will be when we are getting minimal bugs reported, penetration tests return little to no results, and our internal vulnerability count is minimal.

Source: HackerOne Blog

Read this next