Internet security is like digging a ditch. One shovel full of dirt at a time. If it feels easy, you’re just getting started and goes far deeper than you expect. You’ll unearth things you never imagined and the longer you work at it, the darker, danker, and dirtier it gets.
Many people remain blissfully unaware of the constant stream of malicious activity targeting every server and application on the Internet: cross-site scripting, SQL injections, and DDoS attacks are just the tip of the iceberg. When you’re relied on by some of the world’s largest brands to secure billions of discussions, staying on top of the latest threats and digging deeply into potential problems are serious and onerous responsibilities with a huge scope.
That’s why Vanilla Forums has launched a program with HackerOne.
Our now-public security bug bounty program allows us to proactively address vulnerabilities discovered & reported by the largest hacker community on the Internet. It provides an additional layer of security by rewarding researchers who uncover issues and agree to not disclose them until they are fixed. The goal of the program is not only to identify existing vulnerabilities, but to find new approaches to security and adopt the best practices that are used by the most secure companies in the world.
We started this journey more than a year ago as a private, invite-only program automatically managed by HackerOne. We discovered the platform through ongoing security collaboration with our customers, which has long been a cornerstone of our security program. Over $6,000 in bounties later, and after many revisions to our program and our internal workflows, we’re ready to open the floodgates and announce our program to the world.
Vanilla Forums takes security seriously and has spent a great deal of time and resources making our application as secure as possible. To ensure compliance with the latest security standards and uncover potential problems, Vanilla already conducts regular security audits and vulnerability testing. It also works with new and existing customers to participate in their security audits, which is a critical requirement for any vendor with which you tightly integrate your web presence.
The bug bounty program is yet another layer of defense in our ongoing risk mitigation strategy for Vanilla’s community software platform. In addition to deflecting software vulnerabilities, this partnership further enhances our security infrastructure on top of the RASP protocol we implemented last year.
Vanilla Forums’ program on HackerOne is open to the public as of February 28, 2018. To learn more about the program, including scope, eligibility, rewards, exceptions and rules, visit https://hackerone.com/vanilla.
To find out more on Vanilla’s overall commitment to delivering a secure solution, please read our Security Overview.