Vend’s Journey to Bug Bounty: A Timeline

Vend’s mission is to create remarkable retail life for the tens of thousands of retail stores we serve. We know this wouldn’t be possible without cultivating trust with every one of our customers by keeping their data and systems resilient to threats.

At Vend, we love fostering new relationships with the security community to help us find security weaknesses in order to keep Vend and its customers safe and secure.

How It All Started

Vend’s cloud-based POS product was already being used by thousands of businesses and has a fairly large attack surface. We engaged with reputable independent consultants for penetration testing annually. These services are particularly valuable where testers have a defined testing methodologies, equipped with internal resources that an outside party wouldn’t have to find security weaknesses over a limited engagement period.

While we receive technical reports of security vulnerabilities from them, many people are still trying to test against Vend applications with no way for them to report to us.

If a security researcher comes across a security weakness in our product, we want to make sure we have open channels for them to report to Vend. We want to become more resilient against continuous testing and scale our efforts. We do not have the capacity to do all this ourselves. We asked security researchers on the Internet for help — inviting them to test Vend and let us know what they find, through a responsible way of submitting their security findings to us.

2015

Vend started a Vulnerability Disclosure Program (VDP), where the security team received dozens of vulnerability reports through email, and resolved them according to the internal team’s priorities. We occasionally sent out Vend “swag” packages to security researchers who reported interesting and valid security findings. In some cases, it was difficult to deliver these packages to remote/rural areas. Monetary rewards or “bounties” were not offered yet at this time. Over the years, an increasing number of reports were submitted which were mainly low-hanging fruits and without significant impact. The security team didn’t have a consistent and standardised process to triage and remediate the issues which led them to move to a platform that helped them manage submitted vulnerabilities.

2017

After two years, Vend launched and started to operate a Vulnerability Disclosure Program (VDP) on HackerOne platform. The decision to move to a hacker-powered security platform helped our team resolve scaling issues, manage duplicate detection, track hacker profiles, implement predefined replies to researchers, and receive report notifications via Slack. The VDP was open to all security researchers from the HackerOne community around the world to test the security of Vend’s product. Launching this program, there was anticipation of a high volume of incoming reports. We hoped the team would be prepared. Most of the issues received in the first two weeks were valid but the majority were duplicate.

Vend’s Vulnerability Disclosure Program was launched last August 2017. This page can still be accessible here

Vend received a total of 337 submissions of which 93 (27.6%) were valid issues with a security impact to Vend. Around 96% of the valid submissions were successfully resolved during this time. While this seems like a low percentage of valid issues, the majority of invalid ones were duplicate reports

2018–2019

The VDP continued to run until 2019. In these years, Vend gradually received fewer report submissions. A lack of engagement with the hackers was one of the main key issues we experienced during this period, potentially due to having no financial incentives for their efforts. The security team at Vend created a plan to shut down the VDP in preparation to start over with a new program in mind. During the last quarter of 2019, report submissions were disabled on our VDP to focus our efforts in setting up a Private Incentivised Vulnerability Disclosure Program aka “Private Bug Bounty Program”.

This chart shows a slow down in report volume from 2018–2019. Combining the submission count from this period, there was an 80% decrease when compared to 2017.

2020 — Present *

At the start of this year, Vend decided to transition from VDP to a Private Bug Bounty Program (BBP). This program was not entirely open to the public hacker community. Only security researchers that get invited to the program are able to see it. Running a private BBP allowed the security team to set up a more controlled environment in terms of ramping up the hacker invitation to a number of trusted and highly vetted hackers to the program. By launching this pay-per-vulnerability program, a new stream of bugs and security issues were added into Vend’s existing vulnerability management process.

To make this work, it required the team to prepare key processes and communicate them with the dedicated people and stakeholders to the program. Beforehand, our team prepared policy and bounty payment guidance, an internal SLA, report templates, a security page, and list of scopes. It also required commitment from the security team at Vend to perform tasks such as triaging incoming bug reports, communicating with hackers, and defining the program rules and monetary rewards system.

The private bug bounty program at Vend has been running for nearly a year now and has been running smoothly with the help and support from Vend’s engineering and internal teams. We receive significantly higher quality and higher severity reports compared to our VDP. In just a few months, the volume of reports increased which indicated a high level of hacker engagement. The hacker community has been fantastic in helping to secure Vend and our customers.

Since the launch of our private bug bounty program, Vend has:

* data as of 20 Oct 2020

Vend’s Top Hackers

We would like to highlight and thank Vend VDP’s Top Hackers on HackerOne since our vulnerability disclosure program. Top participants for our private bug bounty program will be shared next time. We appreciate all your efforts and we wish you’ll continue to research and submit any future security issues you find.

Wrapping Up

The Security team at Vend aims to continuously improve the security of its products and services while strengthening the relationship with the hacker community. Running either a vulnerability disclosure or bug bounty program doesn’t replace penetration testing engagements, but rather complementing it.

The program’s policies, scope, bounty reward structure, and our internal team process are being evaluated on a quarterly basis with the guidance of our HackerOne program manager to help keep the participants engaged in the program. Engaged hackers are key to running a healthy bug bounty program. High engagement results in hackers who take the time to understand Vend’s scope and threat landscape, resulting in submitting more high quality reports. Before we launch the program publicly, we’re making sure we have the capacity and processes in place to ensure hackers have a great experience testing with us.

A massive thanks to all security researchers for their participation in our program and for continuously helping the teams at Vend to improve the security posture of our product.

If you have any questions or would like to receive an invitation to our private bug bounty program, please feel free to reach out to our security team at security@vendhq.com.