Taking security to the next level: Our Bug Bounty is going public

At Skyscanner, the trust of our travellers is our bread and butter. And for our highly experienced Security team, protecting traveller data is their top priority. As part of our investment in security, we kicked off our Bug Bounty project with Bugcrowd in 2016. Operating on an invite-only basis, Bugcrowd invited select researchers from around the world to scour our website and app for security vulnerabilities.

The programme has largely been a success — the spread of vulnerabilities discovered has helped us identify the areas in which we need to support our Engineering Squads with training and Threat Modelling, and where we should focus on developing security tools to help developers build secure services. Today we are pleased to announce we are launching a public Bug Bounty programme. We believe this is the best way to take this programme forward and ensure we get access to a wide pool of talent to assist us in ensuring the security of our applications, while also strengthening our relationship with the security community.

When we started our Bug Bounty two years ago, the researcher pool was small but active enough to keep our recently-formed Security team on their toes. Our “you build it, you run it” philosophy includes security, and by encouraging a culture of security in engineering, we are both able to find and fix vulnerabilities quickly while maintaining rapid growth in our product.

Over time (and alongside rapid growth of our team), we have invited 894 researchers to the programme who have submitted a total of 261 valid submissions, with critical findings earning bounties of $2000 each. We currently process incoming submissions in an average of seven days, with severe vulnerabilities normally processed and fixed on the same day. The scope and focus of the programme has continued to evolve and expand; it now covers most of our website and apps. This has helped us dramatically improve the security our services, and has given us the confidence to launch a public programme.

After two years operating a private programme, we have developed better processes for managing vulnerabilities, like the Vulnerability Scoring System that defines SLAs to give developers clear guideline on how to prioritise vulnerabilities. We automated this vulnerability workflow in JIRA, which lets us track adherence to SLAs automatically. At the same time we have developed a number of automated tools to prevent issues from ever entering production: CFripper will tear down insecure resources created in AWS and SonarQube help identify insecure patterns and secrets in code.

We look forward to contributions to our programme from the fantastic security community. We’d also like to extend a big ‘thank you’ to those who participated in our private programme — we look forward to to your future submissions. You can find our public Bug Bounty at https://www.bugcrowd.com/skyscanner. To submit a vulnerability, please first sign up for free as a Bugcrowd researcher then submit your findings through the platform.

About the authors

We are Alex Harriss, Oliver Crawford and Christian Martorella. We are part of the Product Security team based in London, Barcelona and Edinburgh. We look at the security of our platform, Software Development Lifecycle, Security Engineering and Automation.

SEE the world with us

Many of our employees have had the opportunity to take advantage of our Skyscanner Employee Experience (SEE) — a self-funded, self-organized programme to work up to 30 days during a 24 month period, in some of our 10 global offices. There is also the opportunity to work for 15 days per year from their home country, if an employee is based in an office outside of the country they call home.

Like the sound of this? Look at our current Skyscanner Product Engineering job roles.