Our Bug Bounty journey has only just begun.
The in-scope domains in our program are:
Currently we have received a total of 80 bugs of which 27 were duplicates (curse you msg -parameter), 5 Not applicable and the rest is visible in the metrics below:
We have pretty much all our developers registered to the HackerOne portal, which means they can view all the bugs for all 4 of our services. That in turn means, that through findings that are received via one of the services they can realize that they have a similar bug in another service, just by viewing bugs received from one of the other services.
The developers have also noticed that a hacker doesn’t need much leverage to be able to exploit something, so more attention to third party libraries and input sanitization is definitely needed.
It doesn’t require many reports from the hackers to bring us all down from our ivory towers and humble us. We have surely been humbled.
I would like to use this opportunity to extend my thanks to all the hackers in our program, we are receiving very good and thorough reports. You are all making our services safer and we appreciate your efforts!
Information Security Manager
Visma Enterprise Oy