Grammarly Launches Public Bug Bounty Program

Grammarly bug bounty program

The online spell check platform is taking its private bounty program public in hopes of outing more threats.

Online AI-based communications tool Grammarly is taking its private bug bounty program public in hopes of finding and fixing more vulnerabilities in its software.

The company has run a private bug bounty program – which currently has 1,500 participants – in conjunction with HackerOne for over a year. And now, it’s opening that program up to the public in hopes of finding even more threats.

The free online grammar checking and plagiarism detection platform was first released in late 2009. More than 15 million use Grammarly’s platform daily. Private bug bounty programs means that they are invite-only and those reports remain confidential. However, when programs become public, they open up to report submissions from the entire hacker community.

“We firmly believe that this gives us access to the best resources to help mitigate vulnerabilities, ward off attackers, and — ultimately — protect our users,’ Joe Xavier, VP of engineering at Grammarly, said in a Tuesday post.

Earlier this year in February, Grammarly found itself in hot water after Google’s Project Zero disclosed a high-severity bug in its Chrome browser extension. The vulnerability, which the company fixed, exposed users’ documents that were created and saved in the platform’s Editor interface.

Xavier told Threatpost Grammarly began running the private program in September 2017. “It was launched before the disclosure of the vulnerability affecting the Grammarly Chrome Extension,” he said.

The bug bounty program offers rewards of up to $3,000 for a range of vulnerabilities starting with “low-severity” all the way up to critical flaws.

“To establish our pricing structure, we began with the median of what we determined were the right numbers for bounties,” Xavier told Threatpost. “We also identified the focus scope among our assets and applied a 2x multiplier for applicable reports.”

Xavier added that “pricing is flexible, depending on the impact of the discovered vulnerability or for other instances such as a well-defined report or its automated version, which gives us a possibility to re-use it an internal testing framework.”

Possible vulnerability reports include browser extension (for Chrome, Safari, Firefox and Edge), mobile keyboards, MS Office Add-In, Desktop Editor, and Grammarly.ai (Grammarly’s artificial intelligence-powered platform).

“We are open to many kinds of vulnerability reports, especially those that pertain to our native applications which carry a higher bounty. With regards to specific threats, we are interested in CSRF, XXE and WAF break-in attack scenarios. We are excluding attacks that require physical access to a victim’s computer,” Xavier told Threatpost.

For Grammarly.ai, the company said it accepts only critical submissions (server side request forgery, XML external entity, SQL injection, and remote code execution bugs) with a proof of concept code.

According to HackerOne, Grammarly has already paid $51,050 in total bounties, with the average reward averaging between $150 to $200.

“We have a strong internal focus on security but know that we will benefit from the expertise that the broader security researcher community can provide,” Xavier told us. “We are confident that HackerOne will provide the best resources to help mitigate vulnerabilities, ward off threats, and — ultimately — protect our users from any potential attack.”

Suggested articles