Here at Backblaze, we help people build applications, host content, manage media, back up and archive data, and more securely in the cloud—and that “securely” part of the equation has always been paramount. We use a variety of tools and techniques to stay ahead of any potential security threats, including our participation over the past year plus in the Bugcrowd security platform. Today, we are opening up our Bugcrowd Bug Bounty Program to all security researchers.
Now, anyone can join Bugcrowd and start hacking away at our desktop and mobile apps, APIs, or web applications in order to help us find any vulnerabilities and strengthen the security of our services. Read on to learn more about the program and the other measures we take to spot and address potential security vulnerabilities.
Join Ola Nordstrom, Lead Application Security Engineer; Chris Vickery, Senior Risk Assessment Specialist; and Pat Patterson, Chief Developer Evangelist, on April 21, 2022 at 1 p.m. PDT to learn more about why we decided to implement the Bugcrowd Bug Bounty Program, how it fits into the Backblaze security portfolio, and how you can join in on either side: as hacker or hackee.
How Backblaze Keeps Customer Data Safe
Over the years, Backblaze has consistently invested in maintaining and upgrading its security portfolio. User files are encrypted by default, we also support server-side encryption for the Backblaze S3 Compatible API, and have doubled the size of our Security team over the last year under the leadership of CISO Mark Potter.
But all those security features and frankly all software, not just Backblaze, are vulnerable to security bugs that can expose user information and data. Oftentimes, these are caused by implementation mistakes or changes in how a piece of software is used over time. The recent Log4j (aka Log4Shell) vulnerability affected nearly everyone due to its ubiquitous use across software platforms and the industry as a whole.
I’ve been working to secure software my whole career. Before the advent of crowdsourced security platforms such as Bugcrowd, managing vulnerability reports was a painful task. Emails, typically sent to security@company.tld, were copied back and forth between bug tracking platforms. Reviewing submissions and gathering metrics was difficult since every engineering team or organization always had their own process for tagging and categorizing bug reports. Everything was copied back and forth to make any sense of the data (Think Excel spreadsheets!). In a world where zero-day vulnerabilities are commonplace, such processes are just too slow and you end up playing catch-up with the bad guys.
How Does Bugcrowd Fit Into the Backblaze Security Portfolio?
Bugcrowd takes the grunt work out of the process to let us focus on addressing the vulnerability and communicating with researchers. Bugcrowd encourages white hat hackers to attack businesses, find vulnerabilities in their software and processes, and aid in guiding the remediation of those vulnerabilities before they can be exploited by anyone else.
What’s more, and perhaps most important to security researchers around the world, is that Bugcrowd allows us to pay security researchers for finding vulnerabilities. Without Bugcrowd, Backblaze wouldn’t have a cost-effective way to pay for a bug report from a researcher in another country or another continent. It’s only fair we pay for the work they do to help us out, and in addition, having a public program ensures transparency and fairness for everyone.
How You Can Join the Backblaze Bugcrowd Bug Bounty Program
Backblaze’s private beta has been running for over a year, but now that the program is public, any interested security researcher can sign up to hack away the company’s in-scope products and networks. If you think you’ve found a vulnerability or you’d like more information about the in-scope products, URLs, or bounty ranges, check out the Backblaze Bugcrowd Bug Bounty Program here. And, don’t forget to register for our webinar to learn more about the program.