Salesforce’s bug bounty programme paid out $3m in 2023

Salesforce’s long-running bug bounty programme continues to pay dividends to both the organisation’s customers and its growing network of ethical hackers, as the software giant announces it has now paid out more than $18.9m in bug bounties since the scheme’s inception in 2015, covering 30,600 potential vulnerabilities.

In 2023, Salesforce revealed, it paid out $3m to around 6,500 ethical hackers who disclosed nearly 4,200 reports. Individual payouts have topped $60,000 in some cases.

The organisation’s bug bounty programme is operated in collaboration with HackerOne, which networks ethical hackers with companies like Salesforce to help address everything from very minor coding issues to major cross-cloud issues that could have proven highly impactful had they not been dealt with.

“Ethical hackers’ work allows our engineers to address vulnerabilities before they become an issue and contribute to ongoing security improvements. Engaging outstanding ethical hackers enhances our organisation’s preventative security measures and overall cyber resilience against an evolving threat landscape tailored to today’s and tomorrow’s reality,” said Lindsey Swartz, senior manager for technical security programme management at Salesforce

Speaking to Computer Weekly last year, Swartz explained why other organisations should consider embrace ethical hacking and bug bounty programmes.

“Security is a team sport,” she said. “There’s so much value to be had by embracing hackers rather than being fearful of the potential connotations, [and] there’s so much good to be had from partnering and collaborating and valuing their perspectives and treating them as professionals.”

“Salesforce is known among the ethical hacker community for its engaging bug bounty programme and experience,” added Arne Swinnen, an ethical hacker who works on Salesforce’s bug bounty programme.

“We look forward to the high-quality interactions with the security team to dive deeper into our findings, which not only bolster the security of Salesforce’s own products, but the entire digital ecosystem,” said Swinnen.

In the past 12 months in particular, Salesforce said that the bug bounty programme has also helped it stay out in front of rapidly evolving AI-powered threats.

It is also now using ethical hackers to test drive its products before an adversary does, which it said is enhancing its preventative security efforts by enabling engineers to apply fixes to protect end-users well in advance of any potential exploitation.

The organisation is continuing to evolve the programme to meet the ever-changing expectations of its growing hacker community.

In the coming months, it will be looking at innovative new ways to enhance real-time engagement with ethical hackers, and offer more gamified experiences to those participating. It also wants to do more to facilitate faster response and resolution times, especially when critical bugs are found, something that other tech companies have been criticised for in the past.