With over 400,000 customers, Citrix is a recognized industry leader in both digital workspace technology and in its approach to hacker-powered security. Spearheaded by Abhijith Chandrashekar, PSIRT Manager, Citrix’s security organization is taking a multi-year approach to creating and expanding its hacker-powered security program. Citrix started its hacker-powered security journey with a private bug bounty program on HackerOne. After gathering learnings and fine-tuning processes, they launched a public bug bounty program, though retained their private program for specialized assets.
Citrix has a growth mindset, so they’re continually looking at ways to refine the program and stay close to the hacker community. Part of their program evolution has included increasing bounty payout amounts to best support their program goals and running occasional promotions to ensure hackers continue to engage with the assets in their scope.
We sat down with Abhijith to discuss why his team continues to expand their bug bounty program (including doubling the payout for critical vulnerabilities) and learn about their cloud security and scope expansion plans. Read what he had to say.
Tell us a bit about yourself!
Abhijith Chandrashekar: I’ve been with Citrix for nearly ten years, primarily within the Security org. I’ve held multiple roles within security over the years.
In the last couple of years, Citrix has been investing more in expanding our security organization, allowing me to expand those resources to product security. Creating Citrix’s first private and public bug bounty programs has allowed us to increase security coverage on the products we have put into the scope of our programs. More recently, I have been working towards expanding the team that works on our bug bounty program with the goal of onboarding more of our products to be covered in scope and drive the future success of the program.
Why is cybersecurity so important to Citrix?
Abhijith Chandrashekar: Citrix builds the secure, unified digital workspace technology that helps organizations unlock human potential and deliver a consistent workspace experience wherever work needs to get done. With Citrix, users get a seamless work experience, and IT has a unified platform to secure, manage, and monitor diverse technologies in complex cloud environments. Since our customers place significant trust in our workspace platforms, ensuring the security of our systems is a critical priority of ours. As a result, we have made a significant investment in expanding our global security organization by building comprehensive teams focused on product security.
Who plays a role in cybersecurity at Citrix?
Abhijith Chandrashekar: We have a collection of teams that focus on different areas of cybersecurity for Citrix. Our bug bounty program is part of our Product Security and Response team which consists of program managers who review bug bounty submissions as well as a team of engineers that further research and reproduce submissions. Our entire team meets multiple times a week to discuss active issues collectively. These meetings allow us to get perspectives and input from the entire team and ensure that we fairly review and assess the severity of each submission. One of the most exciting benefits of hacker-powered security is seeing creative submissions from the hacker community. With each submission, we get to observe the reported vulnerability from the hacker’s perspective and the ways in which they exploit it.
How have hackers helped Citrix reduce risk?
Abhijith Chandrashekar: Since we began working with HackerOne, we have received reports that identified high and critical severity vulnerabilities that allowed us to move quickly in remediating the vulnerability. We also used these findings to perform our own variant analysis to search for and fix any similar or related vulnerabilities for even greater impact.
You started with a private program, then went public, and now you’re increasing the bounty table and setting new policies. What’s driving the updates?
Abhijith Chandrashekar: We have observed great benefits since introducing our bug bounty program that contribute to making our products more secure. We see the most significant and positive impact on our overall product security with reports that demonstrate critical and high severity vulnerabilities. We decided that increasing the bounty awards for these higher severity vulnerabilities would provide greater incentive to the HackerOne community to continue testing our products and reporting on these higher severity findings. We still welcome and encourage reports of all findings, no matter how low the impact.
What’s in the scope?
Abhijith Chandrashekar: Citrix Secure Browser, Athena, Citrix Workspace API, and Citrix Cloud assets are currently included in our public bug bounty scope. We don’t restrict the types of vulnerabilities covered in scope, but we have provided examples of vulnerabilities and their general respective severity. We also recognize that lesser vulnerabilities can be used in a chain to potentially achieve a greater severity score when a proof of concept can demonstrate a higher impact.
What findings are you most interested in receiving?
Abhijith Chandrashekar: We are most interested in reports that demonstrate higher severity impact on our products and services, such as account takeovers, single or multi-tenant data exfiltration, remote code execution, and access control issues that would allow a user to gain access to data they don’t have authorization to view.
Do you have a favorite finding to date?
Abhijith Chandrashekar: We have seen a few memorable submissions. One example was an IDOR submitted via our private bug bounty program that we were able to turn around and fix in only a couple of days. Another memorable finding was an account takeover that was accomplished by chaining a subdomain takeover. Normally, we assess the threat of subdomain takeovers to be Low. In this case, the hacker found a clever way of chaining Low severity vulnerabilities to improve the attack and showcase a greater impact.
How have hackers helped you spot vulnerability trends?
Abhijith Chandrashekar: The bug bounty program has helped us identify and implement class fixes across our products. One of the common vulnerabilities we receive is subdomain takeovers. We aggressively worked on streamlining the asset management process internally and implemented automated detection of vulnerable domains to minimize occurrences of subdomain takeovers. Now, approximately 90% of the subdomain takeovers are detected and remediated internally.
How do you leverage insights from your program?
Abhijith Chandrashekar: The trends from the bug bounty program have been utilized internally to identify root causes of issues and improve the software development and testing processes tremendously. Additionally, we have taken a data-driven approach to showcase the impact from the bug bounty program to Management and Engineering teams which has changed the way our teams approach bug bounty as a security initiative. The teams, which were previously apprehensive about onboarding their product on the program, now look at it as an achievement and have come up with roadmaps to improve the security posture of their product and onboard it to the bug bounty program.
Do you have any upcoming promotions?
Abhijith Chandrashekar: Yes, as we continue to onboard more of our products into our public and private programs, we may include them in promotions to drive more interest in testing and finding vulnerabilities.
What will long-term success look like for Citrix?
Abhijith Chandrashekar: Our long-term strategy for the program involves onboarding all our cloud services on the private bug bounty program and progressively expanding the scope of the public program. We look forward to increasing active involvement with the HackerOne community and working together to strengthen our product security.
To learn more about the benefits of a bug bounty program, check out HackerOne Bounty