Why Bounty Programs Are A Good Fit For The  Agile Development Process

Jacek Materna on March 27, 2017

Setting our customers up for success is always a top priority for us at Assembla, from the quality of our product to how we deliver and support it. For our DevOps team, we’re obsessed with global uptime, application performance and security. As the CTO I can say that we work tirelessly to keep all services running smoothly and securely and I'd like to dive into how we do it in this post. 

Having spent the better part of the last 15 years in network security building, hacking and selling network security software across various verticals, I’m passionate about security and take it very seriously. I understand and have seen first hand the implications of not positioning security at the forefront of your business.

At Assembla, how we handle network threats today and in the future is a top priority for us. In fact, network security is a strategic initiative at Assembla because it’s closely tied with the availability of our services and this goes back to ensuring our customers are set up for success.

We approach security at Assembla as “Defense in Depth” which I like to call the “Onion.”

Security Awareness Program

At the core of our strategy lies our Security Program that was designed specifically for all Assembla staff and employees. We know that the majority of security breaches occur due to leaks in internal processes  and it’s not uncommon for employees not to be unaware that how they go about their everyday processes and procedures could impact customer data and the integrity of our internal systems. This is the responsibility of the CTO, not the employees, to ensure the entire organization is educated and fully trained on security best practices and requirements - and that is what our Security Awareness Program is built upon.  


Knowledge of threats goes a long way in educating everyone and reinforcing good behavior across the board.

Network Security and Security Incident and Event Management (SIEM)

Assembla runs in a hybrid cloud environment with high performance IO applications running in our Equinox DCs to ensure our customers’ code repositories are always up and running and are fast. We’ve invested heavily into hardware, software based perimeter defense, including post breach monitoring and mitigation systems.

We have strong processes set up internally to compartmentalize access to data and key systems. Assembla staff touch and interact with multiple systems that have customer data at rest. We use a variety of tools that reference or contain data about customers and their data which is why we follow strict access control restrictions. We make sure tools only have the bare minimum needed to get their job done and security audits are performed regularly.

Since customer data in a multi-tenant environment is shared by  definition, strict controls and policies must exist to compartmentalize access to data in  transit and at rest. To monitor, maintain and coordinate these processes, we run a four step Security Incident Response Killchain which is coordinated by our Security Operations Center (SOC).

security_awareness_program_two.pngThe SOC is constantly monitoring the perimeter, application usage for nefarious activity using our SIEM system. We invest a lot of money and resources monthly ensuring we have a very solid defense for our customers.

Continuous Audits and Hacker Bounty

Assembla uses HackerOne, a leading premier vulnerability coordination platform.

The basics of HackerOne are simple. Assembla creates our own security program page with instructions for hackers that include:

  • what targets are in scope
  • what types of findings are eligible and not
  • what rewards we’ll be paying
  • what behaviors are acceptable
  • what the ideal vulnerability report should look like

We then set bug bounty awards by technical classification of the bug and severity of its possible impact. We set a minimum of $75. To get attention from the world's best hackers, you want to pay more than the platform average.

Who are the hackers?

Your hackers, also called security researchers or finders, are selected from the top tier of HackerOne. You can invite your own hackers, or HackerOne can customize your invitations for your specific needs. Your program starts private but can be made public. As bugs come in we review the reports for validity, using the report's proof of concept and the hacker's reputation on HackerOne. If valid, we prioritize the fix to the vulnerability in our backlog.

Why a bounty program?

I’ve been in security long enough to know that bounty programs are a critical piece to ensure a quality security program. In the past, they were secret communities. Now we have a range of options that bring hackers and organizations together, imagine that.   

Security is hard because it is unfalsifiable. I can’t say that I’ve found all the bugs in any given program so I try to stack the odds in my favor by layering systems that surface bugs: design reviews, code reviews, type systems, program analysis, external security audits, blackbox scanning, etc. Bounty programs sit at the end of this process which means every bug found is one that slipped past everything thrown at it. Bounty programs are a good fit with agile development practices. In the old days you planned 6 months of software development, you hit your deadlines, it went to QA, then it shipped.

Today everyone does agile because it ships faster; continuous and legacy QA teams are near extinction. Bounty programs fit this environment great because fixes can be pushed quickly and act as informal QA. However, a bounty program does not replace anything you are or should be doing security-wise, it just augments it; it’s the icing on the software development lifecycle cake. A bounty program does not replace consultants, they are different tools to achieve different things. If you want to discover a whole lot of security bugs however, bounty programs are a good bet.

HackerOne is the best offer on the market to today in my opinion. It’s a SaaS take on a world that has existed in secrecy which is exciting in its own regards because it gives anyone access to this deep talent pool to have more secure software on the web.

A Recent example at

Recently a great article was published by a hacker about an SVG exploit in our web application. We identified, reproduced and deployed the fix to production in 24 hours. This is a testament to the security killchain we run here at Assembla and it’s improving every week. A bounty will be given to the hacker for his great work in helping us. He did amazing work exposing an issue. We welcome and readily patch issues found!

convo security.png

Assembla is always on guard for our customers, ensuring data, sessions and apps are safe.

If you’d like to join efforts in helping Assembla get better and already have a HackerOne account, you can find us at