However, part of how Salesforce builds trusted relationships with its network of ethical hackers involves getting to know who is on the other side of the keyboard. That’s one reason why last month, the Salesforce Bug Bounty program helped bring this virtual world together in person to participate in a live hacking event, hosted by HackerOne. Salesforce and HackerOne invited over 100 of the world’s top ethical hackers to “break into” select Salesforce products and uncover potential security concerns at CodeNode in London. The hackers competed in a series of hacking competitions, including “Vigilante,” “Exterminator,” and “Best Collaboration.
Putting a face to a screen name
Ethical hackers, or security researchers, are authorized to hack products and systems to uncover programming flaws or security concerns before any malicious hackers can find and exploit them.
Joe is one such hacker — the man behind the screen name @82af5ddffbb795. New to the Salesforce ethical hacker network, he emerged as one of the top performers from the event, winning the coveted title of “Vigilante,” or Most Valuable Hacker. While he prefers to maintain his anonymity online, he regularly participates in live hacking events because of the value the in-person connection brings.
“I’ve been a bug bounty hacker for 11 years, and I always learn something new at in-person events,” he said. “The engineers at Salesforce were invaluable in clarifying complex details which helped me in finding vulnerabilities. Together, we made Salesforce more secure, I learned a lot of new techniques and tricks, and the bounties were great, too!”
“The ethical hacking community, unlike malicious hackers, benefits from knowledge-sharing and building trust among one another,” Joe said. “Sure, we all compete for cash rewards, but the ultimate goal is to thwart potential threats, and it’s something we all work towards together.”
Another hacker, Elamaran Vengatraman, aka @egrep, was one of the top bounty earners from the event and submitted reports that were awarded “Most Impactful” and “Most Unique.”
“Recognition and appreciation fuel the fire within us, inspiring us to push boundaries and achieve greater heights,” he said. “The actions of the Salesforce team demonstrate their profound respect for researchers and their commitment to fostering innovation. I’ve always liked the quote, ‘Leave one bug alive and the systems are never safe,’ because it means this type of ongoing collaboration is critical for protecting people and their data.”
Benefits beyond the bounty
Building relationships with and expanding Salesforce’s ethical hacker network was just one benefit of the in-person collaboration. Identifying and addressing the high volume of potential vulnerabilities in such a short amount of time was another key element.
“We had all hands on deck, so our engineering team was able to start resolving an issue as soon as it was reported,” said Lindsey Swartz, Security Program Manager at Salesforce. “That was one of the most valuable aspects of being together in person — the finding, the fixing, and then verifying the fix internally and externally, all in real time.”
The virtual aspect of the Bug Bounty program makes it one of the company’s most scalable and efficient security measures, with the ability to simultaneously enlist ethical hackers across the globe for 24/7 testing. However, this can sometimes lead to delayed communication between time zones.
“When I participate virtually from Japan, I often receive responses to the reports I send after 1 a.m. my time, making in-depth conversations difficult,” said @RyotaK, who received the title of “Exterminator,” or Most Impactful Hacker, at the event. “By meeting in person with the Salesforce team, we were able to discuss difficult problems and provide proofs of concept in real time.”
Although the Salesforce security team hosts monthly debriefs with ethical hackers to discuss their findings, this level of access to their thinking was unique.
“We had the opportunity to look over their shoulders and see how hackers work in real time,” said Swartz. “We’ve worked with many of these researchers for years, but this was the first time since 2019 we’ve had the opportunity to meet them face to face, sit in the room with them, and see how they collaborate with and complement one another’s skill sets to discover even more impactful bugs than they might individually.”
“We could see multiple hackers’ screens in a room all at once, and it was eye-opening to see each of their nuanced approaches, said Andrew Leeth, Director of Product Security at Salesforce. “With the constantly evolving threat landscape, these first-hand learnings are critical for getting inside the mind of hackers — especially how they are leveraging AI — to help reinforce our internal security efforts.”.
Bug Bounties by the numbers
Salesforce launched its bug bounty program in 2015 – one of the first enterprise organizations to do so – and the initiative continues to be one of its most impactful security programs. In 2022, the Salesforce and Slack Bug Bounty Programs awarded over $2.9 million in bounties, with individual payouts of up to $48,000. Since the program’s inception, Salesforce has awarded $15.1 million in total bounties.
Salesforce continuously evolves its bug bounty program, engaging with more ethical hackers to protect nearly 100% of the company’s growing product portfolio and to facilitate hacker-powered testing of many products earlier in their development cycles.
To inquire about participation in Salesforce’s invitation-only bug bounty program, contact email@example.com