Strengthening Cybersecurity: Breaking Down inDrive’s Bug Bounty Program

Learn how inDrive’s bug bounty program strengthens cybersecurity by collaborating with white hat hackers to detect vulnerabilities and optimize security processes.

Introduction

In a world where digital technology is infiltrating every aspect of our lives, cybersecurity is of paramount importance. Companies around the world are investing heavily in protecting their data and systems from cyber threats. One of the most effective methods of strengthening security is to work with independent security experts, also known as “white hat hackers.”

This article will be useful for companies that are planning to launch a bug bounty program or have already launched one. We will share our experience in organizing and developing the bug bounty program at inDrive and how it has helped strengthen our cybersecurity.

We would also like to point out that you should not limit yourself to the bug bounty program, as it is not a panacea for solving all security problems. Bug bounty can help you identify some vulnerabilities, but it does not cover the full range of possible threats. You need to take a comprehensive approach to security that includes the use of various security tools and techniques.

As the graph below shows, different tools detect different numbers of vulnerabilities, which emphasizes the importance of combining methods such as automated scanners, static and dynamic code analysis, security audits, and employee training.

Beginning

Initially, our bug bounty program worked in closed mode. This allowed us to control the flow of bughunters, gradually send out invitations and track the results. This approach gave us the opportunity to quietly debug and improve internal processes. Thanks to this, we were able to prepare for going public.

Integration and Triage

Identifying vulnerabilities in a bug bounty program is a key step. We use automatic integration with Slack and Jira to make this process fast and efficient.

Slack

We use two channels:

• The main channel for communicating key events in report processing. This includes notifications of new reports, task assignments to engineers, and vulnerability disclosure requests. This channel allows the team to always be aware of critical events.

• An additional channel is for employees involved in the initial analysis and triage of reports. Notifications of non-urgent activities such as report comments and triage details are sent here.

Account Matching

Setting up a mapping between HackerOne and Slack users ensures that important comments and report notes are directly delivered to the responsible parties, minimizing the risk of missing important information. This simplifies communication between the inDrive security team and researchers, facilitating more effective vulnerability remediation.

Jira

Integration with Jira allows you to create a task only in the right place with a specific set of fields. Using the Jira Automation functionality, we created our own task processing rules to improve our internal vulnerability handling processes, allowing us to efficiently organize this process. Below is an example of this automation:

• Found By Automation: The system automatically populates the Found By field with the bug bounty value, indicating the origin of the task for analytics.

• Task Assignment: Using rules, a task is automatically assigned to an engineer, ensuring even distribution of work.

• Slack Notifications: When a task is assigned, a notification is sent to Slack that mentions the engineer and provides all the necessary information.

For critical vulnerabilities:

• Messages to a dedicated Slack channel: Notification of a critical vulnerability is sent to a separate channel for immediate response.

• Sending SMS messages: In addition, SMS notifications are sent to the responsible persons.

Fighting Spam With Triggers

Triggers in HackerOne are a powerful tool that allows you to automate various actions in response to certain events related to new vulnerability reports. They greatly simplify the work of the security team and help optimize the process of responding to reports.

For example, when rebranding the company from inDriver to inDrive, we often encountered reports of problems with social media accounts.

We customized the trigger as follows:

• Trigger condition: If the report contains words from the list: media, social, Facebook, Twitter, Instagram.

• Trigger action: When the specified condition is detected, a pop-up window with the following warning text is automatically displayed to the researcher: “Hi, it looks like you are about to report an issue with social media links (Instagram, Twitter, Facebook). Our company is in the process of rebranding and we are aware of this issue. We are temporarily not accepting reports for this issue, so we urge you to properly acknowledge the issue and familiarize yourself with the security policy before proceeding and submitting a report.”

This not only helps to reduce the number of inappropriate reports but also educates researchers, improving the quality of future reports.

Campaign and Telegram Channel

We understood that over time the activity in the program would decrease. This is a natural process due to the fact that the most obvious vulnerabilities have already been found and eliminated, and attracting the attention of researchers again requires additional efforts. To maintain a high level of engagement and interest in our program, we took a number of measures.

One of the key tools was our specialized Telegram channel for bughunters. This channel serves not only as a means of communication but also as a platform for sharing useful information. We actively share information about our application and provide materials that can help researchers find vulnerabilities in our services. This may be technical documentation, descriptions of new features, or architectural changes that may be of interest from a security point of view.

Key benefits of our Telegram channel:

• Official updates: Direct and reliable news from the inDrive security team.
• New Feature Announcements: Information about new services and features that may be of interest to bug bounty enthusiasts.
• Promotions and Events: Information about special offers and events related to the bug bounty program.

More information about the channel can be found by following the link — https://t.me/indrive_bbp.

In addition, to attract both new and experienced bughunters, we regularly launch campaigns on the HackerOne platform. Campaigns allow us to stimulate bughunters’ interest in our program. We also announce all campaign launches via our Telegram channel, which allows us to quickly convey information to the audience and encourage them to participate.

For example, below are statistics from one of the campaigns:

These measures allow us to keep interest in the bugbounty program at a high level, ensuring a constant flow of fresh ideas and findings, which ultimately contributes to improving the security of our products.

Our tips will help you dramatically improve your time to every stage of vulnerability processing — from time to first response to triage to time to bounty.

And this, in turn, will increase the trust and satisfaction of the bug hunters participating in your program.

In conclusion, our experience in organizing and developing a bug bounty program at inDrive is a vivid example of how hiring external security experts can significantly strengthen a company’s cyber defense. Thanks to our community of white hat hackers, we were not only able to identify and remediate many vulnerabilities but also optimized our internal processes, which increased our efficiency and improved the protection of our systems and data.

We thank all participants of our bug bounty program for their invaluable contribution to inDrive’s security and invite new researchers to join our community. Together, we will make the digital world safer!