TrueLayer’s Bug Bounty Program: 18 months on
Last year, we launched our bug bounty program for the first time. Like most organisations, we regularly have third-party security vendors perform penetration testing (or pentesting) on our services. However, running a bug bounty program alongside regular pentesting has various benefits.
We were particularly interested in leveraging the independent security researcher community and having ongoing, continuous security testing of our services as we release new features. We were also keen to outsource some of the work in triaging security reports, so that our security team could focus on remediating any potential issues.
A bug bounty program is a way to recognise and compensate ethical hackers for reporting security vulnerabilities in your applications or services. It encourages security researchers to look for vulnerabilities and ethically disclose them to you instead of abusing them or selling information about them to malicious actors.
Starting a bug bounty program can seem slightly daunting at first. Would we see a huge increase in attacks on our services? Would we be able to cope with the additional traffic from security researchers? Would we blast through our bounty budget straight away due to critical security issues being reported? Would we have security researchers going rogue and disclosing security issues without asking for permission?
Thankfully, our worst fears didn’t come true.
Moving on from vulnerability disclosure
TrueLayer has run a vulnerability disclosure program (VDP) for some time, listing the rules of engagement and the types of issues we want to hear about. A VDP was an important first step for us because it let security researchers know they could perform tests on our services without fear of repercussions whilst setting rules to protect customer data.
Any time we received a report a member of the security team would have to spend time investigating the issue and responding to the researcher. Introducing a bug bounty program meant we could outsource this work to another team, and make better use of our time.
For our first foray into bug bounty, we considered a few platforms:
HackerOne
Bugcrowd
Intigriti
Both HackerOne and Bugcrowd are well-established players in bug bounty. However, we liked Intigriti’s strong European presence and researcher knowledge, given TrueLayer primarily operates in the UK and Europe.
We agreed that, to begin, our program would be available to a very small number of their researchers with a high reputation. We’d slowly send further invitations over time in order to avoid the potential sudden influx of security reports to triage. Then, we'd push out a fix for any identified issues within our internal vulnerability remediation timelines. We also started out by having our most important assets in scope first and ignoring lower risk assets to begin with.
Our bounty amounts — how much we would pay for each reported vulnerability — were initially as follows:
| Severity ➡️ | Low | Medium | High | Critical | Exceptional |
|---|---|---|---|---|---|
| Tier 1 | €50 | €250 | €1,000 | €2,000 | €3,000 |
| Tier 2 | €25 | €150 | €750 | €1,000 | €2,000 |
| Tier 3 | €0 | €25 | €200 | €750 | €1,000 |
Luckily, this slow-and-steady strategy proved successful and we weren’t overwhelmed with reports.
Digging into some stats 📊
In our first year, we received 50 submissions. It took around nine days before we received our first submission. We accepted seven submissions as valid in the first year, mostly low severity issues, meaning we didn’t deplete our bounty budget.
After nearly one year of running the program, we reviewed our bounty budget in February 2023. We decided it was time to increase our bounty amounts to stimulate a bit more interest. We increased the exceptional bounty amount by two thirds, and bounties for other severities were also bumped up.
Our bounty amounts were in line with (or slightly better than) the industry median for finance companies for our tier one assets. This did not result in a marked difference in the volume of submissions we received, but we will continue to review our bounty amounts in the future to try to stay competitive.
Our favourite bug bounty submission
In our first year, there was one submission that stands out as a really good find, one that should make not just TrueLayer more secure, but can also help protect other websites.
The issue, reported to us by redge4r, also highlights the benefits of offering bonuses through your bug bounty program. Not only did we reward the finding with a bounty, we also paid a bonus for a report relating to a new feature we had just launched. This was the first time we offered a bonus to encourage researchers to focus on one area of our services, and it proved worthwhile.
We were notified of a Multi-Factor Authentication (MFA) bypass issue in the TrueLayer Console in September 2022 through the program. MFA provides an additional level of security to customer accounts to reduce the risks of compromised credentials.
Both Intigriti and TrueLayer’s security team triaged the report within one day, despite some complex technical steps being involved. A testing tool such as Burp Suite, which intercepts HTTP traffic and lets you step through requests, was very helpful in reproducing the issue.
Our investigation found that the issue lay with a third-party provider with whom we collaborated in order to resolve. We reported the issue on their Responsible Disclosure Program (which does not reward findings with a bounty). Thankfully, the issue has now been fixed.
The result of this bug bounty report is that other customers of the provider are now more secure, which is a win for everyone, not just TrueLayer.
Going public
This past June, we took the step of making our bug bounty program public. Anyone can now see the details of our program, including in-scope assets and bounty amounts. We’re hoping this encourages more engagement with our program going forward.
Initially, we didn’t see a marked difference in the number of submissions we were receiving. However, after talking to Intigriti, we sent out an announcement to all the security researchers on their platform to let them know our program was public. As a result of this, we saw around ten times the average number of submissions. Thankfully, the Intigriti team triaged for us so we didn’t have to.
What’s next?
Like any bug bounty program, ours isn’t perfect. We’re conscious that it may have a higher barrier to entry compared with other programs. Being largely API based, we also acknowledge that researchers will most likely need to invest more time in understanding how our services work. We’ll continue to review the bounty amounts and consider bonuses for particular areas we want to focus scrutiny on, and add new assets in scope. Watch this space.
We would like to thank all the researchers who have contributed to our program over the last 18 months and look forward to working with you in the future.
What is 3D secure and how does it work?
5 points for the National Payments Vision
