Security is core to a Password Manager like Dashlane. We build the product to help our customers store their digital identity, credentials, personal information, and payments, in a secure and convenient way.
To make sure we maintain the highest level of security, we rely on many cumulative practices and layers of security. Among others:
- As we develop the product, each line of code goes through a mandatory internal code review with multiple reviewers from our engineering team.
- We run automated tools to detect potential security flaws on our system.
- Our software development lifecycle is based on the conventions and best practices from standard compliance frameworks, such as OWASP, Google, Apple and Microsoft guidelines, PCI-DSS or SOC2.
- Our dedicated security team supports the whole organization in ensuring we have the right security rules.
- Last but not least, we rely on security bug bounty programs to maximize the number of talented people looking at all our apps and services and raising issues.
What Is A Bug Bounty Program?
A Bug Bounty program is a way for an organization to request white hat hackers and security researchers to look for vulnerabilities and security exploits in their product, and reward them with bounties depending on the severity of the issue they found.
White hat hackers are ethical computer security experts, who specialize in finding security issues. They will report security bugs to an organization to give an opportunity to improve the quality and security of their product. They can either do it for free, out of duty to improve the security of all, or in exchange for some reward. This is often called “responsible disclosure“: when a white hat hacker discovers a security related issue, they inform the organization and give them the opportunity to correct the vulnerability before it is exploited maliciously or disclosed publicly.
The Dashlane Bug Bounty Program
At Dashlane, we have run a bug-bounty program on a platform called HackerOne since 2015. HackerOne puts us in touch with thousands of security experts and white hat hackers. Our Head of Security likes to call them “the Uber of security.” Just call in some help! We can leverage a massive security community and make sure we have many more eyes on our code than if we were to rely only on Dashlane employees or even on third-party security audit agencies.
In 2015, we started with a private program. On HackerOne, you can decide to restrict who can contribute and ramp up progressively the number of experts that will submit issues. This was important as we learnt how to manage the workflow associated to HackerOne submissions.
It is important to build the right internal structure, so we can evaluate, triage, fix and reward within a reasonable time. Participants to the program expect us to be reactive otherwise they will focus on other more attractive programs. Of course, bounty levels are important as well: our bounties range from $200 for a low severity bug to several thousands of dollars for critical ones.
We continued to refine the precise scope of our program, what we considered to be eligible submissions, as well as exclusions to the program. It was important so that we avoided getting too many useless submissions or false positives.
Once we were confident we were able to handle more submissions, we started increasing the number of private invitations to our program, until we were able to make it fully public in 2017.
We have added security resources to our web site to make it easier for people to raise security issues to us. Check out https://www.dashlane.com/security/researchers that explains all about our program and how to participate. We love when researchers provide us with concept code or screenshots. That really helps us evaluate and reproduce issues more easily. As a best practice, we also provide a PGP key for you to provide more sensitive information if needed.
Tips To Get Started
Security is important for everybody. If you work in software development, you should start your own security protocol very early on, even if you are a young startup. It is easy to do and not that expensive.
- Start as soon as you can with a private program, with 50~100 invited white hat hackers. You will need to offer bounties that are in line with market to be attractive.
- During those early days, build the internal process to handle submitted vulnerabilities. Tweak the description and configuration of your program.
- In addition to improving the level of security of your product, use your bug bounty program as a marketing tool. Especially for B2B, it adds value to your pitch.
- Ramp up progressively, until you are ready to go public.
- At some point you may observe that the report flow is slowing down. That means that you need to up the bounties and/or communicate to hackers about new features; researchers won’t spend their time in old programs with few low hanging fruits without good incentive.
Happy bug hunting!