Moving Fast with Security

Our driving purpose at Ibotta is to reward our users with cash rebates that make a difference in their lives. They have entrusted their earnings with us, and it’s our responsibility to do our best to safeguard their accounts.

To that end, we’ve expanded our partnership with Bugcrowd to provide an additional layer to our security strategy, with the added benefit of improving our workflow by crowdsourcing our vulnerability testing. Bugcrowd is a security research company that designs, manages and supports crowdsourced security testing programs.

INTEGRITY AS A VERB

Moving forward with Bugcrowd is a strategy that supports two of our core values at Ibotta:

Integrity is a tenet that informs decisions across every team. As we rapidly expand both our engineering team and user base, we continue to evolve our security strategy to protect our users’ accounts and our code base. If we’re not proactively looking for our vulnerabilities, then how can we protect our users from them?

Outhustle means we have a commitment to our users to never be stagnant or slow to innovate. We move fast to improve the app and add features as quickly as possible. Balancing speed and security is what makes Bugcrowd such a successful partner.

FROM STATIC TO ACTIVE

Ibotta has had continuous integration testing in place from the start. From the very beginning, the Ruby on Rails static analysis tool, Brakeman, has been a part of our automated test suite. This solution protects our backend API code, and gives us confidence that all common, or basic security mistakes and vulnerabilities in our code are addressed.

As we’ve grown, our codebase has expanded along with our engineering team, and we need the ability to catch exploits unique to our business logic.

This is why we began to use external platforms to perform penetration testing against our apps and API platforms. We discovered Bugcrowd and the idea of bug bounty programs. A bug bounty program would give us the skills of the best security researchers from across the globe, and a service like Bugcrowd takes the administrative burden of recruiting and payment off of our plate.

IT TAKES A CROWD

Bugcrowd harnesses the power of more than 60,000 trusted security researchers to surface critical software vulnerabilities before the bad guys can take advantage of them. Their Crowdcontrol platform was designed from the ground up to service the time-strapped enterprise user, and their dedicated team of application security engineers have been here since day one, triaging submissions to eliminate the signal-to-noise ratio to provide results.

Since the start, Bugcrowd has worked closely with our security team to define the testing requirements and scope of our needs. After evaluating our current testing capabilities and organizational goals, we decided on the private bug bounty program, which is an invite-only model to our application security strategy.

With Bugcrowd, we are able to extend our security team with thousands of researchers with skills and time not available to us internally. We get better results with the right, trusted researchers for our program.

SCALING UP

To start, we ran one-time, private bounty programs with Bugcrowd. These showed immediate results, finding some potential exploits that we were able to rapidly patch.

In 2015, we ran annual private bounty programs and felt far more secure after each program. However, Ibotta is an agile dev shop, and we launch multiple deploys daily. Inadvertently, a new bug could get introduced with each deploy, and with a rapidly growing engineering team we were shipping more code than ever before.

After seeing the kind of success we could achieve with our short-term program with Bugcrowd, we decided to graduate to an ongoing partnership in January 2017.

MOVING FAST

With an always-on, private bug bounty program, we don’t have to slow down development. Knowing we have the highest skilled researchers hunting for vulnerabilities gives us confidence in our security program.

Every week, we bring additional researchers into our program. This ensures a fresh set of eyes are always on the lookout for security issues with Ibotta. Occasionally, a white hat hacker will contact us directly outside of the program with a new issue. With Bugcrowd we are able to add them to the program and reward them via the same system.

We move fast at Ibotta. We never want to move so fast that we are neglecting our users security. Partnering with Bugcrowd helps us meet our commitment to users.