User blog:MisterWoodhouse/Fandom's Community Platform now has a Bug Bounty program

Hey gang!

Back in July 2019, we announced the first Fandom Bug Bounty program, which focused on responsible disclosure of security flaws on our D&D Beyond platform in exchange for variable bounty amounts. In that announcement, we committed to launching the program on the Fandom community platform, with an opportunity for community members to get involved. We are happy to say that we launched the Bug Bounty program on the community platform last month and we’d love to talk with you about how it’s going so far and how we’re getting community members involved.

What is a bug bounty program?
A bug bounty program is an arrangement in which a company invites cybersecurity researchers to find security-related flaws in our systems and privately let the company know what they find so that the company can fix the problems without having malicious individuals exploit them. In exchange for this responsible disclosure, the company hosting the bounty program pays the researchers a sum of money relative to the severity of the flaws they discover.

How does it work in this case?
Program participants are asked to create Fandom accounts and their own wikis in order to test out a variety of security flaws they’ve seen work on other websites. When they find something amiss, they make note of it — including the potential impact if exploited — and submit the findings. BugCrowd, the security platform coordinating our bounty program, and Fandom engineers assess the submission and, if accepted as valid, the researcher gets paid. Right now, the program scope is limited to new wikis with the default extensions enabled, so as to get the broadest possible benefit for the platform as a whole out of this security testing with no disruption to existing wiki communities. Future tests may include additional extensions (like Cargo) so that they can be stress tested as well.

The community platform launched onto the Fandom Bug Bounty program through BugCrowd on September 23, 2021. The initial group included 51 experienced and well-vetted security researchers, who all have very high success rates for their submissions being accepted as valid.

In the few weeks of the program, we have validated and resolved 7 security issues reported by the researchers, none of which were considered critical. We are currently validating or working to resolve an additional 6 issues, all of them considered low priority. The 3 highest priority issues were all resolved within 48 hours of validation.

The broad benefit of such a program is that, by putting a monetary incentive in front of the most savvy ethical security testers in the world, you get an increasingly safer platform for over 250,000 wikis and the 315 million fans who use Fandom every month. The most technically savvy and security minded community members specifically get an opportunity to participate in the bounty program. Fandom is currently in the process of identifying those community members with good track records of security reports to invite to the bug bounty program.

How this factors into the existing test process
Doesn’t Fandom already test security and have a quality assurance process? Yes, it does. Fandom also benefits from MediaWiki being very heavily reviewed by security professionals already, so the platform has a very good security baseline to begin with.

The bounty program, however, allows for the benefit of additional eyes with an even higher degree of focus on security. The program also allows for an additional opportunity to collaborate with the Wikimedia Foundation and share the findings from the program researchers to make MediaWiki safer for all platforms running on it.

I’ll be happy to answer your questions now.