{"id":69068,"date":"2023-07-24T06:00:00","date_gmt":"2023-07-24T13:00:00","guid":{"rendered":"https:\/\/www.salesforce.com\/?p=69068"},"modified":"2023-07-25T13:53:44","modified_gmt":"2023-07-25T20:53:44","slug":"salesforce-bug-bounty-event","status":"publish","type":"post","link":"https:\/\/www.salesforce.com\/news\/stories\/salesforce-bug-bounty-event\/","title":{"rendered":"Virtual Meets Reality: Why Salesforce Joined Forces with 100 of the World’s Top Hackers"},"content":{"rendered":"\n

With online aliases like @82af5ddffbb<\/a>795<\/a> and the ability to work anywhere there\u2019s a WiFi connection, hackers can operate in total secrecy. <\/p>\n\n\n\n

However, part of how Salesforce builds trusted relationships with its network of ethical hackers<\/a> involves getting to know who is on the other side of the keyboard. That\u2019s one reason why last month, the Salesforce Bug Bounty program<\/a> helped bring this virtual world together in person to participate in a live hacking event<\/a>, hosted by HackerOne<\/a>. Salesforce and HackerOne invited over 100 of the world’s top ethical hackers to “break into” select Salesforce products and uncover potential security concerns at CodeNode in London. The hackers competed in a series of hacking competitions, including “Vigilante,” “Exterminator,” and “Best Collaboration.<\/p>\n\n\n\n

Throughout the event, Salesforce awarded<\/a> over $480,000 in bounties \u2014 with individual payouts as high as $32,000 \u2014 in exchange for over 220 suspected vulnerability reports<\/a>. <\/p>\n\n\n\n

Putting a face to a screen name<\/h2>\n\n\n\n

Ethical hackers, or security researchers, are authorized to hack products and systems to uncover programming flaws or security concerns before any malicious hackers can find and exploit them. <\/p>\n\n\n\n

Joe is one such hacker \u2014 the man behind the screen name @82af5ddffbb795<\/a>. New to the Salesforce ethical hacker network, he emerged as one of the top performers from the event, winning the coveted title of \u201cVigilante,\u201d or Most Valuable Hacker. While he prefers to maintain his anonymity online, he regularly participates in live hacking events because of the value the in-person connection brings. <\/p>\n\n\n\n

\u201cI’ve been a bug bounty hacker for 11 years, and I always learn something new at in-person events,\u201d he said. \u201cThe engineers at Salesforce were invaluable in clarifying complex details which helped me in finding vulnerabilities. Together, we made Salesforce more secure, I learned a lot of new techniques and tricks, and the bounties were great, too!\u201d <\/p>\n\n\n\n

\u201cThe ethical hacking community, unlike malicious hackers, benefits from knowledge-sharing and building trust among one another,\u201d Joe said. \u201cSure, we all compete for cash rewards, but the ultimate goal is to thwart potential threats, and it’s something we all work towards together.”<\/p>\n\n\n\n

Another hacker, Elamaran Vengatraman, aka @egrep<\/a>, was one of the top bounty earners from the event and submitted reports that were awarded \u201cMost Impactful\u201d and \u201cMost Unique.\u201d <\/p>\n\n\n\n

\u201cRecognition and appreciation fuel the fire within us, inspiring us to push boundaries and achieve greater heights,\u201d he said. \u201cThe actions of the Salesforce team demonstrate their profound respect for researchers and their commitment to fostering innovation. I\u2019ve always liked the quote, \u2018Leave one bug alive and the systems are never safe,\u2019 because it means this type of ongoing collaboration is critical for protecting people and their data.\u201d <\/p>\n\n\n\n

Benefits beyond the bounty<\/h2>\n\n\n\n

Building relationships with and expanding Salesforce\u2019s ethical hacker network was just one benefit of the in-person collaboration. Identifying and addressing the high volume of potential vulnerabilities in such a short amount of time was another key element. <\/p>\n\n\n\n

\u201cWe had all hands on deck, so our engineering team was able to start resolving an issue as soon as it was reported,\u201d said Lindsey Swartz, Security Program Manager at Salesforce. \u201cThat was one of the most valuable aspects of being together in person \u2014 the finding, the fixing, and then verifying the fix internally and externally, all in real time.\u201d <\/p>\n\n\n\n

The virtual aspect of the Bug Bounty program makes it one of the company\u2019s most scalable and efficient security measures, with the ability to simultaneously enlist ethical hackers across the globe for 24\/7 testing. However, this can sometimes lead to delayed communication between time zones. <\/p>\n\n\n\n

\u201cWhen I participate virtually from Japan, I often receive responses to the reports I send after 1 a.m. my time, making in-depth conversations difficult,\u201d said @RyotaK<\/a>, who received the title of \u201cExterminator,\u201d or Most Impactful Hacker, at the event. \u201cBy meeting in person with the Salesforce team, we were able to discuss difficult problems and provide proofs of concept in real time.\u201d<\/p>\n\n\n\n

Although the Salesforce security team hosts monthly debriefs with ethical hackers to discuss their findings, this level of access to their thinking was unique. <\/p>\n\n\n\n

\u201cWe had the opportunity to look over their shoulders and see how hackers work in real time,\u201d said Swartz. \u201cWe\u2019ve worked with many of these researchers for years, but this was the first time since 2019 we\u2019ve had the opportunity to meet them face to face, sit in the room with them, and see how they collaborate with and complement one another\u2019s skill sets to discover even more impactful bugs than they might individually.\u201d<\/p>\n\n\n\n

\u201cWe could see multiple hackers\u2019 screens in a room all at once, and it was eye-opening to see each of their nuanced approaches, said Andrew Leeth, Director of Product Security at Salesforce. \u201cWith the constantly evolving threat landscape, these first-hand learnings are critical for getting inside the mind of hackers \u2014 especially how they are leveraging AI \u2014 to help reinforce our internal security efforts.\u201d.<\/p>\n\n\n\n

Bug Bounties by the numbers<\/h2>\n\n\n\n

Salesforce launched its bug bounty program in 2015 \u2013 one of the first enterprise organizations to do so \u2013 and the initiative continues to be one of its most impactful security programs. In 2022, the Salesforce and Slack Bug Bounty Programs awarded over $2.9 million in bounties, with individual payouts of up to $48,000. Since the program\u2019s inception, Salesforce has awarded $15.1 million in total bounties. <\/p>\n\n\n\n

Salesforce continuously evolves its bug bounty program, engaging with more ethical hackers to protect nearly 100% of the company\u2019s growing product portfolio and to facilitate hacker-powered testing of many products earlier in their development cycles.<\/p>\n\n\n\n

To inquire about participation in Salesforce\u2019s invitation-only bug bounty program, contact security@salesforce.com<\/p>\n\n\n\n

Explore further<\/h4>\n\n\n\n