Bugcrowd Blog

Case Study: Twilio's Bug Bounty Program Over the Years

Posted by Payton O'Neal on Jan 17, 2017 6:37:00 AM

After two and a half years of running an outstanding bug bounty program with Bugcrowd, we’d like to shine a spotlight on one of our most engaged customers–Twilio.

Not only has Twilio exhibited a consistent commitment to the security researcher community, but they have also engaged with the crowd in many different ways. Read our recently published Twilio Case Study to learn more about their ‘crawl, walk, run’ approach.

Why a bug bounty program for Twilio?

Throughout the lifetime of their program, we have worked closely with the Twilio team to make sure their program and rewards matched their organizational goals. They first launched a private program and transitioned to a public program after about nine months. With guidance from our support team, they also increased rewards to boost testing activity.

Screen Shot 2016-12-06 at 10.00.47 AM-500851-edited.png

Their public program today offers rewards up to $5,000. View their bounty brief here.

 

Program results and learnings

Through their private and public bug bounty program, they have received over 1200 submissions from researchers in over 60 countries around the world. Of these submissions, they have also received high-value submissions and have paid out over $50,000.

Twilio has also formed a meaningful relationship with the researcher community and received steady contributions with many top researchers. One of their most engaged researchers, Thanh Nguyen from Vietnam spoke about his positive experience testing in the Twilio program because they “play very fair.” Read our Researcher Spotlight with https://bugcrowd.com/yeuchimse.

In addition to receiving high-quality results through their bug bounty program, Twilio has learned a lot from working with the security researcher community.  

twilio bug bounty learnings.png

Download the case study to learn more about their learnings

The additional layer of triage and validation provided by our Application Security Engineering team has allowed them to increase their vulnerability finding capabilities while freeing up resources and allowing their security team to focus on other areas of the business. Thus, crowdsourced testing has improved upon their existing Product Security initiatives, finding additional unknown and high-value vulnerabilities and an incredible return on investment.

Twilio's continued success is indicative of their commitment to Product Security and is a great model for other organizations struggling to improve current initiatives. Their mindful program launch and improvement over time is a great model for others to look to in implementing their own bug bounty program.

Read the Case Study

Case Study
Payton O'Neal

Written by Payton O'Neal