Our Bug Bounty program plays a crucial role in safeguarding our platform's security, especially as Personio continues to grow and introduce new products and services. 🔒

The challenge

As a hyper-growth startup, it is not easy to keep up with emerging security challenges. New features and product versions are deployed multiple times a day, and security must also be continuous as it is no longer acceptable to use point in time tests as a way of security assurance.

Our main goal then became to obtain real-time security feedback that allowed us to identify key vulnerabilities within our assets.

The Solution

Given the above challenge, at Personio we decided a Bug Bounty program made sense in the early days of our Application Security Program. With this in mind, we reached out to some of the major Bug Bounty providers and compared their offerings. We chose Intigriti since it stood out as an experienced provider that we could trust and rely upon for our Bug Bounty journey. This decision allowed us to leverage crowdsourced security efforts, ensuring continuous and comprehensive testing of their platform.

There are many examples where we've benefited from working with Intigriti, such as when we discovered a major input sanitization issue that led to Cross-Site Scripting (XSS), when we detected a set of leaked privileged credentials, or when we identified a couple of misconfigured domains that allowed for subdomain takeover.
All these submissions have triggered internal projects that have allowed us not only to fix these particular occurrences, but to improve our overall security posture.

Intigriti's triage team is definitely one of the things we love most about them. There have been many occasions where, after revieweing a researchers submission, they have proactively adjusted their triaging notes to our needs, making sure they handle future ocurrences the same way we would.

The Results

The collaboration with Intigriti has led to significant improvements in our security posture. Specific achievements include:

  • Discovery of critical vulnerabilities: Identifying and mitigating risks such as input sanitization issues that could lead to XSS and other vulnerabilities or misconfigured domains that could lead to subdomain takeover.
  • Proactive security measures: The insights from the bug bounty program initiated internal projects that not only addressed identified vulnerabilities quicker, but also improved overall security methodologies and tooling.
  • Continuous testing assurance: Intigriti’s managed triage team ensured that Personio’s platform was continuously tested by top security researchers, providing confidence in the platform’s security.

Checkout the whole Interview on Intigriti's website!

Details