Announcing the Launch of the Latch Bug Bounty Program
Author: Michael Barrett, CISO
During my time as the Chief Information Security Officer (CISO) at PayPal, I had the interesting experience of launching one of the earliest commercial bug bounty programs. While Microsoft, Google, and Facebook had already beat me to the punch, I considered myself in pretty good company. Back then, bug bounty platform companies (that we now take for granted) didn’t exist such as Hacker One, SynAck, Bugcrowd, and others. We had to make up the entire thing more or less on the fly, taking us a few months to get the program up and running smoothly.
Implementing bug bounty (BB) programs are an extremely effective way of reducing exploitable vulnerabilities that exist in code. By the time a BB program is in steady state, almost all of the cruft will have already been found. Thanks to the existence of bug bounty platform companies, deployment is significantly easier today than they were a decade ago, which relied on email and spreadsheets — making it easy to inadvertently “lose” a bug report or two. Now, these programs are quite easy to spin up and easy to integrate into the development process. Like many, we use the Atlassian platform.
At Latch, we build smart access products, and it’s always been a core value that those products are appropriately secure, both physically and logically. As such, we have a strong vested interest in ensuring that we’ve smashed all of the code vulnerabilities that might exist in our firmware and software.
I am, therefore, very pleased to announce that we’ve recently launched our own bug bounty program.
We’re approaching this in phases as our environment is sufficiently complex, requiring a slower ramp-up period rather than attempting for 100% coverage. To guarantee that our users are not adversely impacted by our bug bounty program, we have set up an independent environment for the program, which is kept in sync with production but uses a separate database instance.
The first phase is focused on the web applications that are used to manage our fleet of locks and the back-end APIs that support them. I’d like to take this opportunity to publicly thank Jensec, who has done yeoman’s work in helping secure this part of our codebase. To this point, our program has been small and a private one within the HackerOne platform.
The second phase is focused on our mobile apps for residents as well as property managers. This is a little complex, as we have separate apps for these two constituents, as well as both iOS and Android versions. Given our decision to institute a separate back-end environment, we’ve also had to solve the problem of how to distribute these apps to security researchers, since we can’t distribute them via the classic app store model. When we enter this phase in a few weeks, we’ll significantly increase the number of HackerOne security researchers.
The final phase of our bug bounty program will be focused on our hardware. Latch has put a lot of effort into designing and building our products such that authorized users can unlock devices easily using different modalities. But, for users that are not authorized, we have gone to huge lengths to make sure that there are no discrete nor systemic vulnerabilities that can be exploited. And while we’re confident in our abilities, our intention with this last phase is simple: reward those who can prove us otherwise.
Once this phase is live, we will ship a test device to any security researcher who wants to test our hardware. In the unlikely scenario that a security researcher claims to have found an exploitable vulnerability, we will fly them to our office in New York City to demonstrate this vulnerability to us in practice. If the researcher is able to open a box, protected by one of our locks, they will find a very nice monetary reward inside.
This final phase is just a teaser for now. In due time, we’ll make a formal announcement of that phase of our bug bounty program and open it up for all to take their shot at fame and fortune!
