Bloomberg called them “Uber of the Oceans,” and we think that’s a nifty way to describe the international freight forwarder and customs broker, Flexport. In a nutshell, Flexport handles freight that’s too large for Fedex or UPS-type intermodal carriers.
Flexport is as much of a data management company as it is a critical part of the supply chain for a slew of global manufacturers. Their software uses data from shipping manifests to give customers a clear picture of each shipment’s contents and destination, which they use to choose the most cost-effective shipping methods.
That’s a metric ton of data the Flexport is charged with protecting, and Flexport CTO Amos Elliston is at the helm of their security ops. He recently took a few minutes to answer some questions on their bug bounty program with HackerOne.
Q: Please introduce yourself and tell us what you do at Flexport.
My name is Amos Elliston and I am the CTO of Flexport.
Q: Tell me a bit about Flexport. What’s the quick elevator pitch?
Flexport is a freight forwarder and customs broker. We move large pallets worth of goods (over 200kg) from one country to another. Our goal is to fix the user experience in global freight and drive down transaction costs for our clients.
Q: Why did you decide to launch a bug bounty program? In a recent Stackshare podcast, you guys talk about how you use HackerOne basically for penetration testing. Why did you decide to approach your pen test type services on the HackerOne platform?
We tried pen testing before and found it very expensive and practically useless. We paid many thousands of dollars and they only found a few bugs. The first week we launched HackerOne they found several high priority bugs we fixed immediately. Huge value at the fraction of the costs.
Q: What other activities do you do as part of your software development lifecycle?
Unit testing, continuous integration testing, and code review.
Q: When launching your bug bounty program what are some things you’ve done to keep your invited hackers happy?
We’ve noticed that the biggest factor in hacker happiness has been our response rate. Even when there are disagreements on what constitutes a valid report or on the bounties themselves, staying responsive and engaged as almost always lead to mutual satisfaction
Q: How did you approach structuring your bounty levels?
Originally we kept our bounties very low (think $50). As our program matured and we grew more confident in our site’s integrity, we continually bumped up our bounty levels to encourage hackers.
Q: Let’s talk budget. Many people’s favorite topic. 🙂 How does Flexport create or plan for bounty payouts? Do you earmark a certain figure, just make decisions as you go?
We take input from hackers on what they think is fair. Hackers will often state their case as to why the bug is more severe than we realized, and we’ve often bumped up their bug bounties commensurately.
Q: In the Stackshare podcast chat, your co-worker Evie made a quip about the Ops team basically being like “Hackers took the site down, and we’re paying for this?!?” Can you elaborate on those type of internal conversations? How do you get buy-in from team members including the executive suite and internal stakeholders (like operations)?
Buy-in is actually quite easy for us because we take security very seriously. We have some big clients on our platform sharing their data with us. They trust us to be the best freight forwarder in the world when it comes to data security.
Around July a HackerOne participant launched a scripted attack to probe for different vulnerabilities. By doing so, a certain slow endpoint was bombarded with requests taking down the servers. While frustrating for us at the time, it did teach us some valuable lessons and we quickly implemented rate limiting, request timeouts, and other features to prevent such attacks in the future.
Q: What tips do you have for companies first starting out with a bug bounty program? Any advice?
Probably the most difficult part of the platform is the time commitment during the initial ramp up. It’s inevitable that researchers will find lots of issues in the beginning so it’s helpful to have a dedicated person to triage and respond to each report. We were very fortunate to have a talented engineer, Kevin, take on the role from the beginning. He really enjoys security research so it was a great fit with his interests.
Q: Operationally, how do you handle incoming bug reports? What’s the conversation / transfer of bugs to engineering like? (I know you have a primary engineer FTE dedicated to your program, but just curious how structurally he updates the team – ie, weekly meeting about security, emails, slack channel, etc.)?
We are still at a stage where one person can handle all the reports. He is responsible for triage, resolution, and bounty payouts. Occasionally others will get roped as needed but that is rare.
Q: Where do you see your team evolving to in the future? What goals do you have, what do you want to strive for from a security perspective?
We strive for probably what everyone strives for: 0 security holes. Obviously, it would be very difficult to reach that level. Closely related, we want HackerOne to be the first responder for security holes. Anything found by an actual hacker is a problem.
Q: Let’s roleplay for a minute: Your friend, a co-founder of another company, is thinking of starting a bug bounty program. They ask you why they should have a bug bounty program – what do you say to them?
Start small and private and be prepared for a deluge of reports. One of the best things we did was put a single engineer in charge of handling all HackerOne related issues — protecting the rest of the team from constant interruptions.
Q: Do you have any stories you can tell us about a certain bug that was reported and how it was fixed? Any funny moments or crazy things happen?
We have one active hacker who always provides great and accurate reports. Every time Kevin saw a report from him he would tackle it immediately since the hacker generally pointed out legitimate issues. It wasn’t until about 6 months into running the HackerOne program that Kevin realized Jobert is actually one of the [HackerOne] founders!
Hacker-powered security is keeping the internet safer than ever before. Flexport and over 700 other companies are investing in bug bounty programs. It’s easy to get started with your own bug bounty journey with HackerOne.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.