User blog:MisterWoodhouse/Introducing the Fandom Bug Bounty Program

Hello, all!

Today I am excited to announce another new project here at Fandom— our official bug bounty program. This program is starting on D&D Beyond, but we intend to expand it to our other platforms over time, arriving on Fandom and Gamepedia sometime next year.

What is a bug bounty program?
A bug bounty program is where we invite skilled security researchers/ethical hackers (AKA “white hat hackers”) to try to find security issues in our applications and report them to us responsibly. In return, we pay them bounties of different amounts depending on the severity of the vulnerability they report and the impact it could have to our users and our business. By leveraging the skill and tenacity of white hats, we can better improve the security of our sites while pursuing our other development projects without delays.

How does this work?
We have decided to use Bugcrowd as our bounty platform after comparing the major platforms. Prior to the Fandom/Curse merger, some Curse properties were covered by Bugcrowd under Twitch’s bug bounty platform, so there’s some familiarity for us.

At the moment, we have a “private” bounty program, in which Bugcrowd invites a select number of pre-vetted white hats to work on cracking D&D Beyond. Their findings are analyzed by a Bugcrowd engineer, who sends us all the necessary information to make an actionable Jira ticket for the development team. The researcher responsible for the finding is then paid based on the severity and potential impact of the weakness uncovered.

As our program expands, we will add more of our properties and increase the pool of researchers. When the new Fandom wiki platform launches, we will be extending bounty program invitations to Fandom users who have responsibly reported bugs and vulnerabilities over the years, allowing them to be rewarded for additional disclosures going forward.

Have questions? Leave them below and we’ll answer them as best we can!