Pluralsight’s Security Bounty Program
About a year after I joined Pluralsight, we were ramping up to get ready for our ISO 27000 certification. Everyone in the Security and Privacy organization was doing their part to get ready for it. Part of that included building out a company security awareness program. Most of these consist of a mandatory video training that you can’t skip through, a quiz, and a document from HR saying you viewed it and agree to the terms.
Working for Pluralsight, we strive to do things better. On the Security team, our motto is Security by Design, Privacy by Default. With that in mind, we wanted to build a program that aligned with this.
The first thing we did was use existing content on our Skills platform that covers areas of security awareness; however, we wanted to take it one step further.
We know that watching videos and taking an easy-to-guess quiz “checks a compliance box”, but doesn’t really engage the user. After the 30 minutes of videos, they don’t think about security much afterwards, let alone for a whole year until the next time they have to do the awareness training.
We decided to gamify it with an internal bug bounty program.
Requirements and Details
Traditional bug bounty programs focus mostly on finding bugs in the code and exploiting them and are mostly targeted towards developers and security researchers. We wanted this bug bounty program open to our entire company. This includes Sales, Facilities, HR/People, Finance, Legal, Support, Content, Marketing, Curriculum, Strategy, etc.
To accomplish this, we first opened it up to any security-related finding. Going beyond regular bugs in programming code, this can include things like:
- Tailgating and hitchhiking instead of badging in
- Building a program that proactively searches for PII, sensitive information, or API keys in code repos
- Bypassing SSO on a 3rd-party SaaS app
- Internal company information shared publicly (Dropbox, Box, Google Drive folders, etc.)
- Open firewall rule to the public Internet that really shouldn’t be
The second thing we wanted to do was some form of recognition. Those familiar with the military and other affiliations may be familiar with the concept of challenge coins. These are custom coins that are minted to commemorate a person, promotion, unit or task force, or something similar. They can have significant meaning and are a badge of honor that you can carry around with you. Some organizations like Security BSides and SANS have challenge coins for achieving an accolade or winning a difficult contest or competition. SANS coins, for example, have puzzles on the coins themselves and only those that have earned one can solve the puzzles and continue on.
My supervisor has some of these coins and said, “Colin, wouldn’t it be cool to have coins that have a puzzle on it and a secret website that only the recipients can find and solve?” Those that know me and have seen my desk know that I have a few coins and I love crypto puzzles and CTFs (capture the flag competitions).
I took it and ran with it. We decided early on, we wanted the ciphers to be easy enough for anyone to figure it out with some effort, but not too easy, progressively becoming more challenging.
I designed 5 coins, each representing a different area of security awareness: OPSEC (Operations Security), Privacy, Malware, and Defense. The fifth and final coin was the Champion coin, only available to those that have earned all 4 coins AND solved the puzzles. Someone that has earned the final coin truly is a Champion for Security within our company. We also pointed out that there was a limited quantity of coins, so once they are gone, they are gone.
(I’ve blurred the ciphertext. You gotta earn them)
The next step was making the secret websites. This proved challenging. The requirements were:
Had to be available only to Pluralsight Team Members.
- Ok easy, I’ll just spin up an AWS instance and…
Can’t be easily found by Cloud Engineers or Ops because they just look up where we host it internally.
I did find an less-than-perfect solution of where to host the web pages, but it works great and only PS team members can access it.
With the coins designed, ciphers made, and the secret websites up, it was time to get ready to launch. Encouraging people to look for flaws and bugs, I had to lay down some ground rules so we don’t have people writing horrible code, reporting it, fixing their own bugs and getting a coin for it.
To earn the coin, you must:
- Contact the Pluralsight Security and Privacy team via email, slack, or in-person.
- Show or demonstrate security finding. Provide documentation or steps to replicate.
Security and Privacy team will vet and determine if the finding qualifies.
Some other details:
- Open to all Pluralsight benefited employees
- You can only earn one coin per quarter.
- You can only earn one coin per category per person.
- You must present a new or not-yet-reported security or privacy finding.
- You must earn all previous coins and complete the challenges before earning the rare and coveted Pluralsight Security Champion Coin.
Each coin has a cryptographic puzzle that can be solved. This is optional and a fun little game, but will be required if you want to earn the Pluralsight Security Champion Coin.
This helped set the ground rules and expectations. Everyone that earned a coin would be added to a private Slack channel where they can discuss puzzles and coin-related topics. We also have an internal “Wall of Fame” that lists the person that found the bug, the team they are on, a fairly redacted subject about the finding, and which coin they received. We send out Slack messages to the company on our security channel when we get a new coin recipient. On the Security side, when it was reported, we’d capture the proof-of-concept, steps to replicate, track the remediation to fix the issue in our risk register, and other details as needed.
This accomplished two things:
- A record of the findings and verification that they were being resolved and addressed to the appropriate team(s) to remediate.
- Makes my job easier because talented team members, more familiar with their systems and processes than my team are, doing my work for me. It’s a win-win!
We launched our Security Awareness program on our Pluralsight Skills platform. Our Head of Security had a short clip at the beginning and the end, mentioning the internal bug bounty and a picture of the security coins. We launched the campaign company-wide and waited.
At this point, I had only ordered 100 of our first coin, the OPSEC coin. We didn’t know how well this would be received and if anyone would express interest. I used a website and it cost around $500 for 100 coins.
Three days later, we had our first reported finding. It was a backup of data that we no longer needed in a deprecated system that was part of a monolith. It was fairly sensitive, but encrypted, but still getting backed up. We worked to correct the issue and deleted the backups. We posted it in our security Slack channel and recognized the person that reported it. Soon, we had team members actively looking for potential security issues. Things like unnecessary wildcard SSL certs, iframe misconfigurations, a GitHub crawling tool looking for sensitive information, grandfathered access from internal mobility and job changes, and a door that didn’t quite close all the way at one of our offices. After the first reporting, the coins paid for themselves and we ordered the rest. As more caught wind of it, we had more participation and submissions.
Quarterly, our Head of Security reports to our Executive Team and Board members. He mentioned our new program and showed off our OPSEC coins. One of our board members loved it so much, she told everyone she was keeping the coin. Acting quickly, our Head of Security decided to give all the Board members and Executives a coin and they loved it, with the caveat that the first coin is free, but you gotta earn the rest. It is, after all, open to all Pluralsight Team Members.
Some teams hated that we had the one coin per quarter rule, but we did emphasize that you don’t have to wait until next quarter to report a security concern. If there’s a security finding, tell us and we’ll get you a coin IOU.
To date, we have awarded over 100 coins covering several different areas of security. Some have been very concerning and we respond, “Stop. Wait. What?!?!” Others have been, “I didn’t even think of that, but holy crap, that’s genius!” We even mention the coins in our new employee orientation.
The puzzles and secret websites are addicting and once the puzzle is solved, there is a rush of excitement and all the other recipients find out on the private channel. To date, we have had 3 team members earn the coveted Pluralsight Security Champion coin. As I walk around the offices, it’s nice to see their coins proudly displayed on their workstations.
The program had a better outcome than we imagined and we are still getting reports coming to my team. Having every team member actively looking for security issues is a force-multiplier for us, as the Security team will never scale proportionally as our business grows.
Having friends look for security in their everyday duties is worth so much more than the small, monetary cost of a coin.