The bug bounty phenomenon began mainly with major software vendors and security companies, which were the main targets for security researchers and attackers. But it is now moving to virtually every corner of the Web and software ecosystem, and the latest company to join the party is Square, the mobile payment company.
Square’s service allows merchants such as cab drivers, food truck owners and just about anyone else with a smartphone to accept credit and debit cards through the use of its small device that plugs into a phone. The company’s product would be a valuable target for attackers, and Square officials now are reaching out to the security research community for help identifying flaws in its system.
“We monitor every transaction from swipe to payment, innovate in fraud prevention, and adhere to industry-leading standards to manage our network and secure our web and client applications. We protect our sellers like our own business depends on it — because it does,” Neal Harris, application security team lead at Square, wrote in a blog post.
“Today, we’re very excited to announce our security bug bounty with HackerOne. We recognize the important contributions the security research community can make when it comes to finding bugs, and we’re asking for your help.”
The HackerOne platform provides an infrastructure for companies to run bug bounty programs, reach a huge group of security researchers and reward participants. The system has a overarching set of rules and each company also can set its own code of conduct and scope for its bug bounty program.
Square is asking researchers to look for vulnerabilities in its Square.com and Squareup.com properties and Harris said the company is particularly interested in bugs in its payment flow. In addition to starting the bug bounty, Square has hired Dino Dai Zovi, a well-respected security researcher.
Bug bounty programs have become an important part of the security ecosystem in recent years, and experts say that they’re likely not a passing fancy. Alex Stamos, CISO at Yahoo, which runs a broad bounty program, said in a talk at Black Hat last week, that the community should treat these programs as long-term projects.
“We’re probably going to be running these programs forever,” he said.