Securing the development lifecycle though bug bounties
Visma is a leading business solution provider in Northern Europe, focusing on business optimization and management tools in a variety of industries. Our nearly one million customers trust us to deliver secure products and services, from payroll and bookkeeping to document sharing and software management. With such sensitive customer information at play, it’s vital that no vulnerabilities get missed, which is what led Visma to invite hackers to help in secureing our digital assets.
Q: What are the security challenges that led Visma to start a bug bounty program?
Visma is a large organisation, with numerous products and services, in many different markets and countries, using different technologies and growing rapidly. The security of our products is a high priority. In order to achieve this, we run a program called the Visma Application Security Program (VASP), which enables Visma's development teams to deliver secure products and services. In the security program, we have a comprehensive set of standardized services and solutions. We do Static Application Security Testing (SAST) - security testing of the source code; Dynamic Application Security Testing (DAST) - security testing of compiled code, Manual Application Vulnerability Testing - internal pentesting; Automated Third Party Vulnerability Testing (ATVS) - testing the security of the third-party components in the finished products. One of our challenges is to scale our security program as we grow our business, which is why we started with a bug bounty to complement and enhance our existing testing by ensuring nothing is missed.
Q: How does the bug bounty program impact Visma’s larger cybersecurity strategy?
We ran a smaller, private bug bounty program for our services in Finland before extending it to cover our whole corporate operation. After a year of running the comprehensive private program, we decided we were sufficiently mature enough to go public, with the aim of inviting the broader community of hackers with diverse skill sets to help protect our assets.
The bug bounty program complements our security efforts across the board, especially when it comes to product security, which our customers rely on.
We have seen the value a bug bounty program delivers and therefore we have decided to continue adding more products to scope overtime.
Q: What have some of the highlights and results been from your program?
We are proud to say that we have reached 1,000 submissions overall, an important milestone for us that proves the bug bounty has really increased the security awareness of the development teams. We have already seen it has long lasting effects on how the teams approach and think about security.
We have awarded over $160,000 to our brilliant hackers. We do our best to maintain their engagement by averaging 2 days for triage and by paying out immediately after triage (instead of waiting until it’s fixed by the development team).
As a result, we can definitely say that our customers have become more secure, and our developers more confident about their security posture.
Q: Any memorable interactions with hackers to-date? Favorite bugs?
In general, we have great interactions with hackers and get positive feedback from the community. We try to inform them and offer support on different channels, including Twitter and Slack. It’s rewarding to get thank you messages, because we pride ourselves in being transparent, fair, and consistent.
The most interesting finding on our program was an HTTP request smuggling vulnerability. The finding was a collaboration between two of our best hackers;they submitted a very detailed and well-written report, proving the critical impact this vulnerability could have had - essentially, it could have allowed attackers to snoop on all data sent to the web server by any user.
Q: What findings is the team most interested in surfacing? What types of bugs are most valuable to Visma?
The most valuable bugs are those that would lose us our customers’ trust, such as sensitive data leaks. High and critical bugs are rare, but they could have huge consequences if not surfaced and resolved before they are exploited. On receiving a critical bug, your initial reaction is fear, then you realize you have to act on it fast and, after that, the fun part comes: we tell our teams to celebrate their bugs, because they were discovered in time. Sharing the experience and learnings from these bugs is rewarding because the rest of the team will learn from it. We run these sharing sessions quite often, where our internal teams present their experiences and lessons learned from bug bounty reports.
Q: Do you have any advice for hackers approaching Visma’s program?
A few pieces of advice for the hacker community engaging in our program:
Always check the scope! We only pay bounties for assets in scope, we don’t want hackers to spend a lot of time researching a vulnerability and then not get paid for it. We do, however, also have a responsible disclosure program for everything else.
Subscribe to the program updates! Most of the bugs are found in the first two weeks after a new asset is added, so it’s important to start testing immediately. We try to add a new asset every second week on average.
Go back and test older assets! Most services deploy new versions almost daily. If an asset has no reports in the last few months, it’s a sign that it may have been ignored by other testers
Retest older reports! Unfortunately, some fixes will not be 100% complete, so there is always a chance to find new ways to bypass fixes and report that as a new vulnerability.
Q: Do you have any advice for other organizations or security leads in regards to running a bug bounty program?
Having a successful bug bounty program is a group effort. Firstly, you need management support to make the magic happen; second, you need a triaging team working hard to maintain the quality and program metrics to attract hackers to the program . Finally, you need the agility and engagement of the development teams to commit to fixing bugs fast. The more visibility you can give to development teams into the bug bounty program, the more secure the development lifecycle will be.
Treat the hackers as the valuable asset that they are! If hackers like a program, they will keep coming back to it.
Disclosing bugs may sound scary for some, but we would really recommend doing this since it will help hackers to find more bugs and maintain transparency. Hackers are able to learn from each other, retest your fixes, and showcase their hard work.
Q: What’s next for Visma’s bug bounty program?
We will continue our journey to increase security and confidence by adding new assets to the scope. Our goal is to add two new teams every month.
We also plan to start an internal bug bounty program soon. We have the responsible disclosure and the bug bounty program to manage vulnerability reports from external researchers but sometimes we also find issues internally. This can happen by chance, or when employees are bored and actively look for vulnerabilities. Therefore, we want to encourage our employees to develop their skills in security testing and share their findings internally.
We also plan to consolidate our responsible disclosure program alongside our bug bounty program on HackerOne to help direct hackers to a single reporting channel for vulnerabilities.