Yelp’s bug bounty improves security and attracts talent

Since Yelp opened its bug bounty to the public six months ago, the company has paid out more than $17,000 to hackers who have discovered vulnerabilities in its products. But the bug bounty program doesn’t just improve security, Yelp executives say, but also helps attract security talent to join Yelp full-time.

Bug bounty programs give hackers an avenue to report vulnerabilities to tech companies in exchange for cash, incentivizing them to disclose problems instead of exploiting them. Larger companies like Google and Facebook have been running public bug bounty programs for years, but smaller companies are now launching their own programs to secure their products.

“Bug bounty programs are part of the table stakes now,” Michael Stoppelman, senior vice president of engineering at Yelp, told TechCrunch. “We saw it emerging as a common pattern among the big players out there. We felt that it was a way of giving folks recognition for finding these vulnerabilities, rather than doing damage. It aligns incentives in a way that is really creative.”

But it’s not just about following industry trends or staying on top of security. The bounty, which is administrated by HackerOne, has positive impacts for the engineers already on staff and shows recruits that Yelp is serious about security.

“Public bounties are an awesome litmus test for teams. It’s a great test to see how secure they feel internally. If you say, ‘Hey world, you can knock on my doors and you’re not going to find anything,’  it’s a way of telling the marketplace you trust your own engineering practices,” Stoppelman explains. “It serves as a signal to engineers who are looking for world-class engineering teams to join.”

Before opening its bounty program to the public, Yelp ran the program privately for two years. It made its public debut in September, and the program has been growing steadily since then:

  • 30 days: 22 bugs resolved, $5,000 bounties paid, 19 hours response time, ~ 1 month resolution time.

    • 60 days: 36 bugs resolved, $13,500 bounties paid, 21 hours response time, 29 days resolution time.

    • 100 days: 39 bugs resolved, $13,850 bounties paid, less than 24 hours response time, ~ 1 month resolution time.

    • 140 days: 52 bugs resolved, $17,200 bounties paid, ~ 2 days response time, ~ 1 month resolution time

“We took our time with private bounty because it gave us time for big fixes. It made us feel a lot more confident in our overall security posture,” Yelp’s head of security Vivek Raman says. “As we launch new features, we want the hacker community to attack them and find vulnerabilities.”

Yelp plans to keep the bug bounty program running continuously, and is considering promotions and other incentives to keep hackers engaged in the program.