Get to Know the Salesforce Bug Bounty Program

Learning Objectives

After completing this unit, you’ll be able to:

Describe the Salesforce Bug Bounty Program.
Explain why the Salesforce Bug Bounty Program is a “by invitation” community.
List the main components of the Salesforce Bug Bounty Program.

Ethical hackers, as we described in the previous unit, provide critical insight into software improvement areas, approaching vulnerability research from new or less predictable angles. Independent ethical hackers who work with Salesforce are known as security researchers.

Salesforce Bug Bounty Program

The Salesforce Bug Bounty Program allows invited security researchers to submit security vulnerabilities they discover in Salesforce products in exchange for a monetary reward, or bounty.

The Salesforce Security Assurance team, which is on the frontlines of maintaining Salesforce’s #1 value of Customer Trust, operates the Salesforce Bug Bounty Program and partners closely with the Product and Engineering teams which provide a controlled Salesforce environment that is a mirror of production, for researchers to safely and securely test assets.

Recommended Skills

To get started on the Salesforce program, invited researchers should be familiar with both the Apex program language and Salesforce products.

Apex is the object-oriented program language used at Salesforce. Apex code is a multitenant, on-demand programming language for developers. It enables developers to interact with and add data in the Lightning Platform persistence layer in conjunction with calls to the API.

If you want to learn Apex, check out Build Apex Coding Skills.

There’s no better place to learn about Salesforce products than Trailhead. Other public-facing documentation, like Salesforce developer guides or blogs, can also be a great foundational resource for Salesforce products’ purposes, core functionalities, and primary user groups.

Salesforce works with security researchers by invitation only, so trusted ethical hackers become part of a research community and can level up their skills within the program.

Why Is an Invitation Necessary to Join the Bug Bounty Program?

Gaining access to the Salesforce Bug Bounty Program requires an invitation from Salesforce. By maintaining an invitation-only program, Salesforce can control the quality and scalability of the Bug Bounty Program, which enhances the researcher experience and the quality of research and reports.

Policy Guidelines

Members of the Salesforce BBP community must agree to its terms and conditions. Researchers are invited to the program, then review and accept the program policy. This ensures a clear understanding between Salesforce and researchers about the program, its scope, and proper reporting. Researchers agree to a code of conduct, rules of engagement, and a policy of nondisclosure.

Part of the policy is the safe harbor statement. A safe harbor clause allows security researchers to test systems and responsibly disclose discovered vulnerabilities without fear of legal action, as long as conditions are met.

Unsolicited Submissions

Researchers who aren’t invited to the Salesforce BBP may submit potential issues they’ve found on Salesforce products to security@salesforce.com. However, uninvited researchers should not be actively testing Salesforce products since they are not bound by the aforementioned safe harbor policy and may be infringing the Salesforce Acceptable Use and External-Facing Services Policy. Only invited researchers who comply with the terms of the program are assured the protection of the safe harbor policy.

Components of Hackforce

Security researcher viewing Hackforce on a computer screen.

Hackforce is the online platform through which Salesforce runs its bug bounty program. Hackforce also serves as the primary communication channel where invited researchers can submit security issues for potential bounties. Researchers can access all the information they need to participate in the Salesforce Bug Bounty Program through Hackforce, which includes:

Policy Page and Code of Conduct
Guidelines on Available Testing Areas
Submission forms for identified vulnerability reports
Status updates on submission progress
Bounty rewards
Community collaboration
Targeted research campaigns
Program announcements
Chatter, a Salesforce collaboration application

Let’s take a closer look at some of these features.

Policy Page and Code of Conduct

The Policy Page provides a manual to invited researchers about their participation in the Bug Bounty Program. Specifically, it spells out who is eligible to engage in the program, expected code of conduct, safe testing practices and behaviors, and key protections for both the organization and the researchers. Reviewing, understanding, and accepting the terms of the Policy Page is the very first, crucial step in any researcher’s Bug Bounty journey.

Guidelines on Available Testing Areas

Assets available for testing are known as being in-scope, while out-of-scope assets are not available for proactive testing. Hackforce details both in-scope and out-of-scope assets in the Scope section to ensure researchers know where they can and should be focusing their research efforts. By testing assets that are in scope, researchers are adhering to the Policy Page and optimizing their earning potential.

Researchers can submit a request via the Support portal in Hackforce if they have questions about in-scope parameters, need credentials for security testing, or have a general program inquiry.

Vulnerability Reports and Status Updates

Researchers submit suspected vulnerabilities via Hackforce, and may track the progress of their submission through the platform. There are more details about reports and statuses in the next unit.

Bounty Amounts

Salesforce maintains a reward structure where bounty amounts are based on several factors, including, but not limited to: the vulnerability type, likelihood of exploitability, priority, and potential business impact of the issue submitted.

Only the first person to responsibly disclose an unknown, valid vulnerability is eligible to receive a reward. Salesforce rewards a discretionary bounty if the vulnerability is specific, reproducible, and actionable and has been submitted in accordance with the Program Policy and Code of Conduct. Once a report has been triaged for at least 90 days or the report has been remediated, whichever comes first, Salesforce awards the researcher.

The decision to grant a reward, and its value, is entirely at Salesforce’s discretion. Bounty amounts may be subject to change at any time based on impact, business needs, and industry trends.

Community Collaboration

A unique aspect of Hackforce is its ability to cultivate a community of Salesforce security researchers. Within Hackforce, researchers can signal they’re interested in working with other researchers within the same program. Researchers can connect, collaborate on security research, and learn from one another’s security skills and unique approaches.

For researchers who elect to collaborate on a valid vulnerability submission, Salesforce will reward the bounty to the entire group. It is up to the discretion of the individual team members to divide up the reward accordingly.

Targeted Research Campaigns

Targeted research campaigns focus research in specific areas for a limited amount of time.

During the campaign, reward amounts are extended beyond the standard amount. Learn more about targeted research campaigns in unit 5.

Program Announcements

The program announcements page is where researchers are notified about the timeline, promotional bounty amounts, and eligible report criteria for targeted research campaigns. Researchers can use this information to decide where to devote their testing to optimize their bounty potential.

Chatter

Chatter is a secure Salesforce collaboration application that allows users to communicate with each other and share information in real time. Researchers and Salesforce staff utilize Chatter to interact with one another on the report feed.

Sum It Up

In this unit, we covered the specifics of the Salesforce Bug Bounty Program, the skills needed to gain an invitation, and the components of the Hackforce platform. If you’ve accepted an invitation to join the Salesforce BBP, how can you thrive as a security researcher? Coming up, learn about successful vulnerability reports and targeted research campaigns.