23andMe Launches a ‘Bug Bounty’ Program

In a continued focus on security vigilance, 23andMe launched a “bug bounty” program through Bugcrowd soliciting ethical hackers interested in identifying potential security vulnerabilities across its digital assets.

Bugcrowd, a San Francisco-based cybersecurity company, helps connect businesses to security researchers (aka ethical or whitehat hackers) and awards bounties for finding security vulnerabilities. The company helps to manage the overall program, triage and validate identified vulnerabilities, and manage monetary incentives.

Bug Bounty

23andMe has long had a private bounty program with Bugcrowd. Over the last year, about 1,900 ethical hackers and security researchers searched for security vulnerabilities as part of that private bug bounty program. 23andMe is now making the program publicly accessible to all security researchers and hackers. The move to a public bug bounty program is meant to solicit a larger pool of ethical hackers who can test our security systems, said David Baker, 23andMe Chief Security Officer.

“Privacy and security have always been in our DNA,” David said. “But leveraging a broader community of external security researchers and ethical hackers is only going to improve the already great work the team is doing.”

Culture of Security

Since coming to 23andMe in early 2020, David has helped to build upon a culture of security company-wide. During his tenure, 23andMe’s IT and security team has worked with external auditors to scrutinize our systems and in the process added two additional privacy certifications and renewed an existing security certification.

23andMe has also instituted more systematic internal training, and even gamified security. October is cybersecurity month and it will also mark “Hacktober” at 23andMe, a month-long competition to raise security awareness. The exercise pits internal teams from all departments against each other.

Hacktober

Last year the competition included identifying and reporting phishing, as well as a “capture the flag” competition for engineers. That included challenges in different areas like AWS security, cryptography, web applications, and command-line attacks. Each challenge had a different flag objective. There was even an internal bug bounty program where employees could earn payouts for reporting security vulnerabilities.

This year’s Hacktober also corresponds with the launch of the public bounty program through Bugcrowd. Our public bounty program with Bugcrowd comes as public awareness and concern about sophisticated hacks, ransomware, and data breaches are undercutting confidence in the ability of governments, businesses, and other institutions ability to protect personal data.

Securing and ensuring the privacy of our customers’ data is paramount at 23andMe. This public bug bounty program will encourage external security researchers and ethical hackers to competitively find and fix potential security flaws. It also continuously help us harden our systems from attack.

For more information on 23andMe’s bug bounty program visit https://bugcrowd.com/twentythree-and-me.