With the pace of security today, nobody can afford to go it alone. Even if you hire the greatest security team, deploy airtight process, tools, design reviews, testing, etc, there’s a global community of like-minded security folk working on these problems. There are economies of scale that come from researchers honing test strategies over many different sites, security teams sharing best practices, etc. Having a productive relationship with the broader security community is a must.
Over the past year, we have prioritized improving how we work with the security community. Key investments have included:
- Launching our Responsible Disclosure program on Bugcrowd about a year ago. More recently, this program was recognized as the most-responsive program on the Bugcrowd platform.
- A number of productive Responsible Disclosure interactions between security@ and outside research groups like AV-Test.org, Pentest Partners, Fortinet, Tavis Ormandy of Google Project Zero, IBM, Citizen Lab @ University of Toronto, and others.
- As of April 2016, we’ve committed to label client software updates containing security fixes with a standard “Critical/Important/Moderate/Low” rating scale, and provide guidance for interpreting those ratings similar to best practices from Google, Microsoft, and others. This benefits customers by helping them prioritize how urgent patch deployment is, and benefits researchers by crediting them in no-nonsense terms about the impact of what they’d reported.
- Engaging the security community face to face at events such as CanSecWest and Blackhat/DEFCON. We were among a short list of “Internet of Things” vendors to sponsor the IoT Village, providing free hardware to see what the talented hacker community would come up with. We’ve also sponsored the last two B-Sides in San Francisco.
We sometimes hear the sentiment that “IoT companies don’t care about security.” Our goal has been to set ourselves apart — by taking the steps and doing the hard work to build a strong reputation for security — and we appreciate the folks who have recognized us for it this year.
A couple of these highlights are worth talking about in more detail:
Success with Bugcrowd
We’ve had a great run with Bugcrowd so far! We launched a public, everyone’s-invited program a year ago, and are seeing great returns from it. It’s proving to be a cost-effective and valuable way to supplement internal test efforts and traditional, directed pentests from consulting firms.
A nice feature of the Bugcrowd platform is the first tier triage provided by their staff. This helps screen out any obvious noise, out-of-scope reports, clear duplicates, etc., and helps keep our internal staff working at peak efficiency on the reports that need our attention.
More recently, we’ve been doing small scale experiments with invite-only, cash-bounty paying programs. Running these separately gives us the flexibility to set scope separately, and have Bugcrowd connect us with people who have shown specific expertise matched to that scope. If you’re thinking about running a paying bounty program, it would be hard to overstate the value of Bugcrowd handling the payment logistics to individual researchers.
Blackhat / DEFCON / IoT Village
A few members of the Fitbit Security team attended Blackhat, DEFCON, and the IoT Village in Las Vegas to meet with security folks from all over. We provided hardware for testing at the IoT Village, heard some great presentations, and participated in the always-important “Hallway Track.” It was a welcome opportunity to say thank you in-person to a number of our active Bugcrowd reporters.
It was also great to see more vendors taking a more active role in the community. We all face similar threats, work with many of the same software development kits from component providers, etc. As more vendors invest in security, we suspect we’ll all feel a security uplift from it: code quality from common libraries will go up, tools will get better, etc. Like we said above, it’s much better than trying to go it alone!
We’ll be back in a future blog post talking about some other aspects of how Fitbit approaches security. For now, we just want to say thanks to the community. We appreciate your contributions and look forward to continuing our work with you.
About the Authors
Marc Bown and Jim Hebert are two members of our Security Team, both joining Fitbit in 2015. Marc manages our Security Features team and Incident Response. Jim leads our Responsible Disclosure program on Bugcrowd. The team has been busy and have more posts planned, so stay tuned!