Security at Pathao: Introducing the Bug Bounty Program

In September last year, Facebook was hit with a security breach that affected nearly 50 million of its users. The year before that, a bug in Mac OS allowed anyone to gain root access to Apple computers with astonishing ease. In the years prior, we have seen global giants like Yahoo and LinkedIn deal with breaches that left millions of its customers’ accounts vulnerable. Security bugs are an unfortunate reality of an ever-evolving technological landscape. However as the industry marches frantically towards new and more exciting product offerings, it must not lose sight of what is important.

Here at Pathao, we’re locked in a perpetual tug of war between scrambling to deliver a better product experience to our customers and ensuring functional sanity. Despite our best efforts, it’s sometimes possible for unintended bugs to be introduced into the wild. Among these are a particularly nasty category of bugs that may expose us to security issues.

We’re constantly on the lookout for security bugs in any of our customer-facing or internal products. Rare as they are, finding and fixing these bugs is always the topmost priority.

Over the past few months we have taken a number of steps to bolster our security measures. These include:

1. Forming an internal Red Team that routinely audits our software for vulnerabilities that may have slipped through during regular development. This team exists solely to find, categorize and report bugs in any of our products, and making sure the fixes hit production as fast as humanly possible. (We’re looking for more experts in this field, so if you’re a budding security researcher that wants to work with a large ecosystem of software products, please get in touch with us at i.like.security@pathao.com)
2. Engaging one of the leading security consulting firms in the country to do exhaustive penetration testing and vulnerability assessment of our entire system, daily. They also conduct regular workshops with the wider engineering team to keep them up to speed with the latest practices and discoveries in the industry.
3. Opening up a Bug Bounty Program to the world-wide security research community, whereby any independent researcher may submit bug reports to us directly. The program comes with appropriate rewards (not only monetary) for different kinds of security bugs of varying degrees of severity.

Submissions from independent researchers are a really critical way for us to be notified of bugs we may have missed, and we encourage it heavily. We keep a very open mind as we go through reports and work to foster a good working relationship with researchers. If you’re passionate about security and want to report bugs, please feel free to engage us through the bug bounty program. However we ask that you do so in a manner that is responsible and in no way harmful to our customers, and one that honors the guidelines outlined in the link.

We’re working hard to foster an engineering culture that treats security as its foremost concern. We understand the love and trust our customers place on our products is a responsibility few companies have the fortune to bear. While we are a young company with a lot to do and even more to learn, we believe we will be able to honor that trust.