Why Salesforce Paid Hackers $2.8M in 2021 to “Break Into” Its Products
Salesforce’s Bug Bounty program enlists ethical hackers to help keep customer data secure
It may sound counterintuitive, but hackers actually help Salesforce keep customer data secure. In 2021 alone, Salesforce rewarded ethical hackers with over $2.8 million in “bounties” for helping to protect its systems.
All Salesforce products are built with a security-first approach. Just like new vehicles undergo crash tests before going to market, Salesforce’s security team ensures product and feature changes are rigorously evaluated before they are deployed. After all internal testing, Salesforce taps a trusted network of ethical hackers to kick the tires on its products through a “bug bounty program” that pays rewards, or bounties, for responsibly disclosing security issues. This security research takes place in non-production testing environments, known as a sandbox, that mirrors real user functionality to safely simulate attacks without potentially exposing actual customer data.
Last year, ethical hackers submitted reports of more than 4.7K suspected vulnerabilities to Salesforce. Salesforce engineers assessed each report and resolved any valid security vulnerabilities, paying out bounties as high as $30,000 for some findings.
What is an ethical hacker?
Ethical hackers, also known as white-hat hackers or security researchers, use their extensive computer and programming knowledge for good. Unlike the hackers associated with phishing, ransomware, and other cyber attacks, ethical hackers are authorized to “break into” products and systems to uncover programming flaws or security concerns in exchange for payment. This allows engineers to apply fixes to protect end-users before any malicious hackers have a chance to exploit them.
“I was attracted to becoming an ethical hacker after starting my career as a developer,” said Inhibitor181, an ethical hacker who participates in Salesforce’s bug bounty program. “Not only is it more stimulating and less monotonous to use my programming skills to legally hack into global companies’ products, but it also allows me to do my part in preventing cybercrime. Not all hackers are bad.”
How does Salesforce’s Bug Bounty Program work?
Salesforce was one of the first enterprise organizations to operate a bug bounty program. Since launching its program in 2015, Salesforce has awarded over $12.2 million in total bounties, including $9.5 million since 2019, and it continues to see investments in this cybersecurity measure pay dividends.
In addition to the disclosure of more than 22.2K reports since its inception, the program has also helped Salesforce enhance its preventative security efforts from the inside out. For example, engineering teams use data from the bug bounty program to better understand the tendencies and methodologies of malicious hackers.
“Being able to understand the methods the hackers use to find vulnerabilities allows me to employ the same methods to better secure our software,” said Anup Ghatage, a Salesforce Software Engineer.
What’s next for Salesforce’s Bug Bounty Program?
Salesforce continuously evolves its bug bounty program, engaging with more ethical hackers to protect the company’s growing product portfolio, continuing to facilitate hacker-powered testing of many products even earlier in their development cycles. As part of this initiative, in 2021, the company consistently ran targeted monthly promotions for the first time, offering multiplied bounties – in many cases, double or triple the standard reward – in exchange for verified reports on a specific Salesforce product. For example, the Trailhead Slack App served as a target for a bounty promotion in August, before its official release at Dreamforce in September.
Salesforce is committed to advancing its bug bounty program and partnering with ethical hackers. The ability to find and fix vulnerabilities before products are rolled out to users is core to Salesforce’s broader security initiatives and maintaining trust among its customers, partners, and entire ecosystem.
To learn more about participation in Salesforce’s invitation-only bug bounty program, contact firstname.lastname@example.org.