Oda is launching our bug bounty program!
We’re super proud to announce to the world that we are launching our official bug bounty program. While we always aim to establish the right level of security before we push to production, we know that we can’t anticipate absolutely everything security-wise at all time, or discover every single blind spot. Our hope is that a bug bounty program will help us cover our bases and become a great supplement to our internal security work.
This program will help us approach application security from a slightly different angle — namely, leveraging the knowledge and skills of talented security researchers from all over the world. To do this, we’ve decided to collaborate with Intigriti to create a private bug bounty program. That means instead of opening the program up to the world, we will have pre-vetted security testers coming into the program by invitation. Intigriti will help us triage the findings, make sure that they’re not duplicates, and set an unbiased severity score on each discovered vulnerability. The severity score is then linked to each bounty so that the most critical findings result in the biggest pay-outs.
Once the security findings are triaged and vetted by our bug bounty provider, they are forwarded on to us in Oda.
We will then investigate the findings further in collaboration with the security team, the security champions in our development teams, and our developers. Dependent on the severity of each finding, we’ve established expected patch times that we’ve aligned with our development teams.
For the initial phase of the bug bounty program, we’ve included Oda.com, our Android app, and our iOS app into the scope. We plan to include more of our services and infrastructure moving forward, and further down the line we might also open it up to the public.
If you, or someone you know, wants to participate in our bug bounty program, send us an email at security@oda.com
We can’t wait to see what our bounty hunters find so we can both fix any issues and gain a broader understanding of our security needs. This initiative is a very welcome one both within Oda’s developer community and in the company at large. We’re all super excited to see it getting off the ground!
