A bug bounty program is a deal offered by a website, organization, and software developers to offer monetary rewards to skilled security researchers or ethical hackers (AKA "white hat hackers") for successfully discovering and reporting a vulnerability or bug. Bug bounty programs allow companies to leverage the hacker community to discover and resolve issues before the general public is aware of them, preventing incidents of widespread abuse and data breaches, as well as improve their systems' security posture over time.
Programs like these are used by a large number of organizations, such as Mozilla, Facebook, Google, and Reddit, but also by Fandom.
Previous Experiences[]
In July 2019, Fandom started a collaboration with Bugcrowd. This was a "private" bounty program, where Bugcrowd invited a select number of pre-vetted researchers to work on reviewing D&D Beyond. Whatever was found was reviewed by a Bugcrowd engineer before they shared them with us.
The program resulted in the discovery of some security issues on the D&D Beyond platform, which were then patched by our engineers. Considering the success, we extended the program to cover the rest of the Fandom Community Platform as well. The amount of researchers was expanded with the addition of some Fandom users who had previously, responsibly reported bugs and vulnerabilities over the years. Extending an invitation to them allowed us to reward them for additional security risk disclosures they found from that moment onward.
After a few years though, the collaboration with Bugcrowd ended, until we entered into a new collaboration with another hacker collective in 2024.
Current Program[]
We are currently working with HackerOne. The scope of the program is mainly focused but not limited to new wikis, though it does not include the scripts users create on Dev Wiki.
For more information on HackerOne, you can read its policies.