Salesforce helps customers establish bug bounty programmes

Salesforce customers can now take advantage of a wealth of new content covering bug bounty programmes on its Trailhead online learning platform, which has been added ahead of the Washington DC leg of the supplier’s annual World Tour targeting US government bodies – the London event is scheduled for 6 June 2024.

The learning content is designed to provide appropriate resources for organisations to build out their own bug bounty programmes, which at their core provide financial rewards to ethical hackers who uncover and disclose software vulnerabilities, and are a proven and effective way for them to gain insights into threat actors and to stay ahead of threats, including emerging AI-backed ones.

The Trailhead series breaks down the programme development process into bite-sized chunks, with modules including:

• Defining a bug bounty programme and its ultimate scope and goals;
• Structuring a bug bounty programme, including work phases, areas of research, and personnel roles;
• Understanding Salesforce’s own bug bounty programme;
• Creating vulnerability reports;
• And diving into targeted research campaigns.

“As the cyber security landscape continues to evolve rapidly, Trailhead has been an incredible resource to continually learn new skills. Having a playbook to seamlessly set up a bug bounty programme will unlock new capabilities and reshape how BACA Systems thinks about strengthening security practices,” said Andrew Russo, Salesforce architect at BACA Systems, a US manufacturer of robotic stone-cutting equipment.

Brad Arkin, chief trust officer at Salesforce, added: “As a trusted advisor to our customers, we share security tools and information they need to be successful. By providing the resources they need to establish their own bug bounty programme and engage with ethical hackers, we are empowering companies to increase customer trust in the age of AI.”

“With the White House underscoring the importance of cyber security through the AI Executive Order and securing voluntary commitments for advancing safe and trustworthy AI, and with hackers already using AI for cyber attacks, it’s more urgent than ever for organisations to adopt measures to enhance the security of their entire ecosystem,” he continued.

Salesforce itself runs a successful multi-year bug bounty programme internally, which it organises with the assistance of sector specialist HackerOne.

In 2023 alone, the scheme paid out approximately $3m to 6,500 ethical hackers working on 4,200 vulnerability disclosures, with the largest reward topping $60,000. Since the programme’s inception in 2015, Salesforce says it has made $18.9m worth of bounty payments, helping eradicate 30,600 potential vulnerabilities in its code.

A major focus of the current programme is adapting to address the potential threats posed by AI, as well as proactively ‘test-driving’ its products before adversaries get the chance to. It is also exploring new ways to innovate the experience for the ethical hackers working on the programme, including more gamified experiences, and crucially, better engagement and faster response times.