ENHANCING PLATFORM SECURITY:
A LOOK INTO UPHOLD’S BUG BOUNTY PROGRAM WITH INTIGRITI
ENHANCING PLATFORM SECURITY: A LOOK INTO UPHOLD'S BUG BOUNTY PROGRAM WITH INTIGRITI
Uphold is a multi-asset digital money platform that empowers users to seamlessly trade between asset classes with integrated payments. The global platform aims to achieve a future where individuals and businesses can access secure, transparent, fair and affordable financial services.
Since launching the platform in 2013, Uphold has powered over US $40 billion in transactions. The platform supports over 250 currencies and commodities, offering seamless foreign exchange and cross-border remittances to members across 184+ countries.
INTERVIEW WITH CHRISTOPHER ADJEI-AMPOFO, CIO/CISO
Please tell Business Enquirer’s readers about Uphold’s journey as a financial services platform.
Uphold was founded with the goal of creating a more equitable financial system, aiming to make financial services available to all. This mission remains true today. We are dedicated to empowering individuals globally by offering a transparent, affordable, and user-friendly platform that removes barriers to financial inclusion.
The security and threat landscape is ever evolving, with that comes the challenge of keeping abreast of new threats and vulnerabilities. Uphold is not immune to this threat – we consistently adopt new technology and services to protect our customers and assets. Maintaining customer confidence and trust is my highest priority, giving them comfort that Uphold is the best place for them to invest their money.
What measures has Uphold taken to strengthen its security posture?
We proactively defend against cyber threats by engaging a community of ethical hackers through our bug bounty program with Intigriti, which we launched in 2020. This program helps us identify and address vulnerabilities by harnessing the expertise of a global community of security experts, ensuring the security of our platform and maintaining customer trust.
With new threats and vulnerabilities emerging daily, it can be extremely beneficial to get the perspective of external experts dedicated to identifying potential risks within digital ecosystems. While penetration tests are valuable, they are often static and limited to a specific point in time. In contrast, bug bounty programs offer a dynamic approach to security, engaging a broad community of ethical hackers who continuously identify and address potential vulnerabilities.
This proactive method not only strengthens the security posture of our platform but also means we can continuously adapt to new threats and vulnerabilities.
Take us back to basics: What exactly is a bug bounty program?
A bug bounty program is a crowdsourced cybersecurity initiative where organizations invite ethical hackers—also known as security researchers—to find and report vulnerabilities in their systems. In exchange for their findings, these hackers receive monetary rewards based on the severity and impact of the bugs they discover.
Organizations must set the program’s scope, clearly outlining which websites, apps, or systems are included. This provides the community with specific targets to explore. They’ll then work to uncover security issues your team has missed. These can range from minor bugs to critical vulnerabilities that could significantly compromise your organization’s security.
Once a hacker finds a bug, they report it to the organization—in our case, through Intigriti’s platform. The report should include detailed steps to reproduce the issue, ensuring the organization can understand and verify the vulnerability. Once triaged by Intigriti, our security team reviews the report, validates the finding, and assesses its severity. This step is crucial for determining the appropriate reward for the hacker.
Based on the severity and impact of the bug, the hacker will be rewarded according to a predefined bounty table.
Outsmart cybercriminals with global crowdsourced security
Harness the expertise of 100,000+ security researchers to detect vulnerabilities as soon as they surface, avoiding the costly damage of breaches.
OUR CUSTOMERS INCLUDE
What are some of the most impactful vulnerabilities that have been discovered through the program?
The community has identified a range of vulnerabilities since launch, such as misconfigurations in cloud and SaaS partners, security headers, API integrations, and data handling processes. These discoveries have allowed us to address weaknesses promptly before cybercriminals can exploit them.
How have these findings influenced your security posture?
Findings from Intigriti’s bug bounty program have led to several internal improvements, including implementing additional security checks, enhancements in our software development processes, and upgrades to our overall security infrastructure.
Platform insights have also led to more datadriven decisions. By analyzing incidents over time, we can anticipate future demands, better justify budget allocations and allocate resources accordingly. These measures have significantly strengthened our capacity to safeguard user data and assets.
You mentioned you launched the bug bounty program with Intigriti in 2020. How has it evolved since then?
We’ve expanded the scope of the program to cover new features and services, increased reward tiers to recognise significant findings better, and streamlined our submission and response processes for faster resolution.
In the coming years, we anticipate further expanding the scope of our bug bounty program to include all new services and technologies we adopt. We plan to adjust our reward structure to stay competitive and to incentivise the discovery of more complex and impactful vulnerabilities.
What advice would you give to other companies considering starting a bug bounty program?
Maintaining high engagement is crucial to your program’s success, which can be achieved by fostering a collaborative and rewarding environment for researchers. For example, we offer competitive rewards, provide clear and detailed guidelines, and ensure prompt communication throughout the vulnerability assessment process. Plus, working with a bug bounty platform like Intigriti ensures researchers are matched with programs that align with their expertise, driving stronger engagement and better results.
