Keepsafe is on a mission to help us keep our private lives as they should be – private.
To date, over 50 million consumers trust Keepsafe to safeguard personal pictures, documents and messages. Their suite of apps include AppLock, and Photos and Documents, each designed to make storing and sharing personal information private and safe.
A cornerstone of Keepsafe’s security strategy is their invitation-only, private bug bounty program on HackerOne. We recently chatted with Keepsafe CTO Philipp Berner about the program, and about Keepsafe’s mission of “making privacy in the digital world as easy as it is in the physical world.”
Q: Philipp, tell us what do you do at Keepsafe.
I’m a co-founder and CTO at Keepsafe. I run the engineering organization, I’m deeply involved in product and currently contribute to the iOS app.
Keepsafe gives people the power to control their digital content. In abstract terms we call that content privacy. In plain English, we give people control over who sees what content in their digital life.
In the physical world this is easy as you have separate places depending on the importance of things, from your shoebox to your bank vault. In the digital world this separation does not exist. Everything lives in the same space, and once you send it to someone you don’t have control over where your content goes next.
Because we store important sensitive data for millions of users, it is very important for us to make sure that data does not get into other people’s hands. In technical worlds, we need to be good at security to fulfill this promise to our customers.
Q: Why did you decide to launch a bug bounty program? And why now?
We have always been very security conscious in the way we build things. This is mainly due to the fact that it’s core to us and not an afterthought. We did a security audit about two years ago with an external company. They didn’t find much past some minor errors. As we grow as a company, security becomes more of a management task then just code. I wanted to get Keepsafe on a solid track. Other entrepreneur friends had a really good experience with HackerOne and mentioned that they found issues that they would have never thought otherwise. The approach of crowdsourcing immediately made sense to me. So this is why we started a bug bounty program.
Q: What tips do you have for companies first starting out with a bug bounty program? Any advice?
When we first started out, we didn’t pay that much attention to the program. This was mainly due to limited resources. After hiring a new backend developer I gave the responsibility to one person and we defined clear goals.
Our biggest learnings are that you need to manage your bug bounty program actively. We make sure we respond fast and fix things fast. For that reason, we have slowly added new hackers so we could make sure it’s a good experience for the people who are submitting issues. the other thing what we learned is to update the description/policy of your program actively. We realized that we would get smaller issues that are more in the housekeeping department. So we raised the bounties for the things we were looking for.
Q: How would you describe the first few months of your program? What was your reaction?
The first few month of the program had a lot of ‘wow’ effects. Our focus has been mainly around making sure that user content can not be seen from unauthenticated people, and that no one gets access to our servers and databases. We didn’t pay much attention to unused DNS records and things like that. Turns out you can do a lot of damage with things like unused DNS records that are mapped to a 3rd party service – be pretending that a hacker is Keepsafe.
Q: Tell us a bit about the hackers you are working with. Did anything impress you about them?
The hackers we’re working with seem very systematic. I have the feeling that different people have different focus areas. They look at you and start digging around the areas they know and developed tooling over time. Once they find places where there is “food” they keep digging in that area for a while. We run everything on AWS, so we have hackers that have amazingly deep knowledge about the AWS service APIs, which they use to show where we have been missing knowledge.
Q: Why are you working with hackers to improve your security?
Our bounty program is a continuous effort for us. We have been sending messages out when we increased our bounty program and explaining more about the infrastructure and software stack Keepsafe is running on. This leads to more activity and incoming bugs. We have not yet worked with individual hackers.
Q: How does your bug bounty program supplement the work done by you and your security team?
The bounty program for us acts mainly as a validation that things work as expected and to show us areas that we have not thought about. Sharing the vulnerabilities inside the team gives everyone more awareness on what can happen and broadens everyone’s thinking.
Q: Have you found any notable vulnerabilities or paid any large bounties that you would be willing to tell us about?
We have so far paid $5400 worth of bounties for 27 reports. Most of those come from $50-$100 bounties for finding small things. Interesting bug reports that allowed someone to create a wordpress.com site and map it to one of our subdomains that pointed to a old wordpress.com site that we don’t have online anymore, but we never removed the DNS entry.
We had one larger report that was very valuable and that I think no security audit firm would have found. So far we haven’t paid out any of our larger $1000 bounties for remote code execution or access to source code.
Hacker-powered security is keeping the internet safer than ever before. Keepsafe and over 700 other companies are investing in bug bounty programs. It’s easy to get started with your own bug bounty journey with HackerOne.