News / Developers

Why Salesforce Team Up With Hackers: The Bug Bounty Program

By Sasha Semjonova

Software companies ‘getting to know’ their hackers isn’t a new concept. It helps them find weaknesses in servers, uncover potential security vulnerabilities, and get a better idea of where to tighten the infrastructure. In fact, Google even admitted to paying hackers $6.5 million in 2019 to do just that.

It’s no surprise that Salesforce are getting involved, especially as industry-wide security continues to become more important than ever. Introducing The Bug Bounty Program: a hacker-based security investigation involving over 100 of the world’s top hackers and over $480,000 in ‘bounties’ to be won.

The Bug Bounty Program

Salesforce’s Bug Bounty Program has been going since 2015, and Salesforce was one of the first enterprise companies of its kind to do something like this. It’s gone through some development over the years, now engaging with ethical hackers to “protect nearly 100% of the company’s growing portfolio”.

The latest Salesforce Bug Bounty program was able to be brought to light in June 2023 at an in-person event hosted by HackerOne, a leading cybersecurity company. As aforementioned, they brought together over 100 determined hackers to ‘break into’ select Salesforce products and uncover any potential security concerns. This translated to approximately 220 suspected vulnerability reports and over $480,000 in bounties – with individual payouts as high as $32,000.

The Value in Hacking

Not all hackers are as scary as they’re often depicted to be in movies. They’re not all breaking into government databases or ruining lives; in fact, some of them hack for good.

These are known as ethical hackers, and they are security researchers authorized to hack products and systems to expose flaws and vulnerabilities. They can be a great asset in developing tighter security systems as they’re disconnected from the software company – they can come in from an outside perspective and not be swayed by predetermined information.

Although the event is held in person, there is, of course, the virtual environment that is where the actual hacking comes into play. This scalable consideration means that Salesforce can access talent from all over the world, and despite challenges like navigating different time zones, it’s definitely up there with diversified, wide-scale security operations.

Recruiting hackers is not only great for companies like Salesforce; it’s great for ethical hackers too! Elamaran Vengatraman, a hacker who participated in the latest Bug Bounty Program under the profile @egrep, says that the recognition and appreciation help to “fuel the fire” within them.

“The actions of the Salesforce team demonstrate their profound respect for researchers and their commitment to fostering innovation,” he said. “I’ve always liked the quote, ‘Leave one bug alive and the systems are never safe,’ because it means this type of ongoing collaboration is critical for protecting people and their data.”

“The actions of the Salesforce team demonstrate their profound respect for researchers and their commitment to fostering innovation.”

– Elamaran Vengatraman, Ethical Hacker

To learn more from these hackers, Salesforce also gets their security team involved in monthly debriefs with ethical hackers to discuss their findings and understand their approaches. Andrew Leeth, Director of Product Security at Salesforce, stresses how important this is.

“With the constantly evolving threat landscape, these first-hand learnings are critical for getting inside the mind of hackers – especially how they are leveraging AI – to help reinforce our internal security efforts.”

– Andrew Leeth, Director of Product Security at Salesforce

Summary

Salesforce’s collaborative work with ethical hackers has proven to be an informative and beneficial security operation for both the hackers and the company. The Bug Bounty Program is certainly a project for good, and as security concerns continue to develop across the industry, this effort is more important than ever.

Quite the hacker yourself? Learn more about Salesforce’s invite-only program by emailing security@salesforce.com.

The Author

Sasha Semjonova

Sasha is the Video Production Manager and a Salesforce Reporter at Salesforce Ben.

Leave a Reply