Maintaining a video streaming service across Africa is challenging enough, without the added pressure to secure customer data and protect our shows and movies’ security. Asking people to find ways to breach our systems can be painful, and sometimes humbling, but it’s ultimately the best way to ensure security.
Showmax has everything from the latest Hollywood movies to African telenovelas, our original dramas, and major sporting events. The latter, in particular, comes with all the big volume live-streaming tech nightmares that you’d expect, only with the added challenge of African infrastructure laid on top. I can honestly say that when your customer base runs the spectrum from rural Kenya to metropolitan Cape Town, and you’re managing a half-billion play events annually, every day brings a new curveball.
TL;DR: If you love challenging security problems, contact us at firstname.lastname@example.org!
Our reputation is everything
Africa may have by and large leapfrogged fixed-line connectivity and gone straight to mobile, but online payments are still far from the norm and often viewed with suspicion. That means our first challenge is gaining customer trust and, once earned, we want to hold onto it and maintain it. With legislation like GDPR and POPIA and various local privacy laws becoming the norm everywhere we operate, we are incredibly aware of the significant penalties for exposing customer data. On the other side, our business relies on studios having confidence in our ability to protect the security of their flagship TV shows and movies. In this kind of environment, where a breach could be fatal for the company, proper security testing is vital, and this is where our bug bounty program comes in.
Preparing for an attack we never imagined
Our bug bounty program means we have people testing our security and devising attacks that we hadn’t thought of, and that couldn’t be predicted. Actively inviting people to find ways to break our systems can be painful and, at times, humbling, but we know it’s in our best interest to have this layer of scrutiny in our security strategy. We refine it all the time - we want people to examine our website, mobile, and TV apps but, if they find something on an ancillary site that they believe has significant value, we will take a look at that too. In the three years the program has been running, we’ve continued to refine the list of vulnerabilities we’re looking for and rewarding for. Broadly, we want to know about vulnerabilities where bad actors could gain access to user data, studio content, or cause service downtime. We’re currently looking to hear about authentication and authorization issues, access to internal data, remote code execution, cross-site scripting and particularly clever vulnerabilities or unique issues that do not fall into explicit categories.
During the program, we’ve had a number of near misses. One example is when a hacker uncovered a massive reputational risk bug, whereby rogue emails could appear to come from the Showmax domain but wouldn’t get picked up by spam filters. There was also a potential, though fortunately never exposed, risk where a payment system could be fooled to get access to our service. Overall, over the past three years, we have paid out more than $30,000 in bounties for over 130 valid vulnerabilities. We pride ourselves in our speed to resolution - it usually takes just a couple of hours from report to resolution. Speedy resolution helps security by ensuring the bug is fixed before it can be exploited by anyone else. It also has the added benefit of strengthening our relationship with the hacker community. Our hackers recognize that our program will respond and payout in good time, meaning they keep coming back to hack for us.
Growing bug bounties
As our customer base grows and we expand geographically, we are increasing the scope of our bug bounty program with additional devices and functionality. We’re always surprised and pleased with the HackerOne community of hackers. I’d recommend to anyone thinking about their offensive security to engage with hackers as the attacks we see simulated are often ones we would never have considered. The potential damage to the service and company reputation would far outweigh the cost of a managed bug bounty program.
Making sure you set hacker expectations, and meet them through speedy resolution time, will ensure that relationships with your hackers stay positive and keep them coming back. I’d also recommend being transparent with the process of resolution and honor the researcher’s part in the process with thanks or bonuses for stand-out work.