Serghei Velusceac - stock.adobe.
Throughout its history, Reddit has utilised the expertise of its diverse communities in many ways, and when it comes to cyber security, it has often relied on the security community to help find and fix bugs in its platform. It has even recruited some of them internally.
“Reddit has always leveraged the community to help find and fix bugs in the platform, and funnily enough, that’s how we’ve found several of our engineers to help improve platform security over the years,” said Reddit security professional Spencer Koch.
“The evolution of our security team really started back in 2018 when we formalised our private bug bounty programme. As our platform has grown in size, relevance and feature set, we’ve also scaled the programme alongside it by expanding its scope, improving our bounty pay-outs, and supporting security researchers with context and insight into how Reddit works.”
Set up in June 2005, the Reddit platform is now approaching its 16th birthday, which means the platform contains a lot of old – even forgotten – code and features that could still be vulnerable, said Koch.
“I remember my first few weeks at Reddit, we had some submissions around a product feature Reddit Live that I’d never even heard of,” he said. “Just last month, we had a submission on a long-deleted Chrome browser extension that had three-year-old code in an [Amazon Web Services] S3 bucket with an XSS vulnerability in it. So with the extra eyes from our bug bounty programme, we’re able to find things that may have gone unnoticed.”
The move to a public programme means any hacker will be able to probe Reddit’s underbelly in search of flaws and vulnerabilities, with monetary rewards paid out through HackerOne. Koch said going public was a “natural evolution” for Reddit.
“Taking the programme public has been a goal of mine since I joined Reddit, and with the continued growth of our engineering headcount and applicable scope, we needed to open up the programme to get enough researchers to cover all of Reddit,” he said. “And also not miss out on unique skillsets that each researcher brings to the table.”
The public programme will be supported by HackerOne’s triage service, which reproduces reports, offers remediation advice, and assists with testing implemented fixes. This service will also be blended into Reddit’s security team to give it the opportunity to lean on HackerOne’s own research team as and when needed – for example, producing detailed reports on submitted bugs, or screening and information gathering.
Read more about bug bounties
- Incentivising researchers for finding software vulnerabilities can be advantageous for vendors and participants. Here’s what to know before starting a bug bounty programme.
- The rise of so-called beg bounties is becoming a challenge for security teams, and can be a drain on time and resources. But what is a beg bounty, and how does it differ from a bug bounty?
- The Singapore government is baking security into the design and implementation of its IT systems and looking to increase bug bounties to fend off cyber threats.
Allison Miller, CISO and VP of trust at Reddit, said: “Everyone at Reddit plays an important role, and that’s what is awesome about Reddit – we have built a culture that’s aware and appreciative of security, and we empower our developers to make smart decisions regarding security topics.
“There are never enough security engineers to go around, and so leveraging the smarts of independent security researchers frees up engineering cycles for other work, since we have that additional external help on testing. Hacker-power helps us find meaningful bugs across the spectrum, from old-fashioned security vulnerabilities like XSS to business logic issues with Reddit’s authorisation systems, to finding conflicting or confusing documentation around our APIs and site features.”
Miller said introducing a bug bounty programme, whether public or private, should not be a scary venture for a security leader – assuming they have done due diligence upfront – and the benefits were clear to see.
“You can have all the automation in the world, but sometimes just having different sets of eyes with different techniques and mannerisms helps identify things that might have otherwise gone undetected by your team,” she said.
“And it’s not as if not having a bug bounty programme makes your organisation’s security bugs go away – this just incentivises people to report them.
“Compared to user bug reports into r/bugs which are often full of bug pictures, bug bounty programme reports are of such high fidelity that our dev teams can quickly get to fixing, and trust the security team’s recommendations.”