Learn About Targeted Research Campaigns
Learning Objectives
After completing this unit, you’ll be able to:
- Describe the benefits of a targeted research campaign.
- Explain the Salesforce Bug Bounty Program targeted research campaign.
Benefits of a Targeted Campaign
The Salesforce Bug Bounty Program (BBP) encourages researchers to submit vulnerability reports on any in-scope Salesforce product at any time. But the program also features targeted research campaigns with increased bounties to focus research efforts on a specific topic for a limited time.
One of the greatest impacts of targeted campaigns is in the development and testing of new products. Product teams are able to “crash test” new products by releasing them to a trusted network of researchers in a sandbox environment. A sandbox environment mirrors production but contains synthetic data to test issues without affecting actual users.
In addition to new products, targeted research campaigns can focus on existing assets, such as those that haven’t gotten many submissions.
Targeted research campaigns direct researchers to concentrate on a smaller scope of products for a given period. When researchers hone in on a particular area, this kind of deep dive research can result in some of the program's most impactful findings.
The timeboxed nature of a targeted campaign also allows product, engineering, and security teams to coordinate their efforts. Salesforce teams can concentrate energy in an area to increase bug discovery, learn researchers’ methodologies, coordinate remediation, and run systemic risk analyses.
Focus on Results with a Targeted Research Campaign
Since 2019, Salesforce has consistently offered increased bounties for verified reports on selected Salesforce products during targeted campaigns. Bounties can range anywhere between 1.5 to 5 times the standard bounty amount.
Salesforce typically runs at least two campaigns per month, lasting 1 to 4 weeks at a time, offering researchers multiple opportunities to conduct targeted research and earn bonus rewards. Targeted research campaigns usually focus on a specific security target, such as an asset, vulnerability type, or severity class, depending on key focus areas for the business.
When the Bug Bounty Program runs a targeted research campaign, researchers receive an announcement about the timeline, bounty amounts, and eligible report criteria. Researchers find the details on the program announcements page and can focus on the engagements that maximize their earnings potential.
You may be wondering why Salesforce devotes additional reward money to these targeted campaigns. By focusing attention in a particular area, targeted research campaigns typically result in a larger number of reports. As a result, Salesforce Product and Engineering teams learn from the bug bounty findings and the methodologies behind finding such bugs to prevent similar issues from occurring in the software development lifecycle. This feedback loop serves to improve overall security.
For example, in the month prior to its release at Dreamforce in September 2021, the Trailhead Slack app was the focus of a targeted research campaign. Researchers discovered and reported vulnerabilities that product teams were able to fix prior to reaching production.
Finally, Salesforce invests money into targeted campaigns because they provide results. Salesforce has awarded bounties as high as $48,000 and has paid over $3 million annually in rewards to bug bounty researchers.
Conclusion
Recognizing the contributions of ethical hackers, Salesforce is committed to running a successful and effective bug bounty program. Using Hackforce, researchers can efficiently track their report progress and communicate with Salesforce teams. Researchers have the potential for increased earnings by participating in targeted research campaigns. Plus, researchers can expand their skills through close partnership with other hackers and Salesforce.
On the other side, hackers contribute meaningful insights to Salesforce to inform future security investments across the business and in particular products. The ability to find and fix vulnerabilities before products are rolled out to users is key to maintaining trust among customers, partners, and the entire Salesforce ecosystem. Working in partnership with security researchers, Salesforce can remain at the forefront of constantly evolving software security.
Resources
- Salesforce Blog: Why Salesforce Paid Hackers $2.8M in 2021 to “Break Into” Its Products
- Salesforce Blog: Virtual Meets Reality: Why Salesforce Joined Forces with 100 of the World’s Top Hackers
- Salesforce Blog: “It’s Not About a Paycheck, But a Purpose”: Bug Bounty Hunter Reveals Why He Hacks for Good
- Salesforce Blog: How Salesforce’s $18.9M Investment in Hackers Is Paying Off
- Trailhead: Explore Salesforce Culture and Values
