At Grammarly, we consider security our first and most foundational product feature. It’s at the heart of how we operate as a company and how we develop our product. Part of this is maintaining internal safeguards, from operations controls and a Security Champions program to constant application monitoring by our specialized Security team. And with the goal of validating the trust of the more than 20 million people and 10,000 teams we serve every day, we also believe it’s vital to go further—and invest in high-level risk assessment from third-party sources.
That’s why we run a bug bounty program with HackerOne, a leading security platform that brings together ethical hackers to assess cybersecurity issues of all kinds. Since launching our public program in 2018, we have seen great success in our ability to reduce the risk of security incidents. With access to a global pool of talented security researchers, we can diagnose vulnerabilities before they may be identified by malicious actors to be exploited.
Supporting Grammarly security through a bug bounty program
A bug bounty program invites ethical hackers to detect software vulnerabilities and report them directly to the company for remediation. Security researchers study the product, compile reports on detected bugs, and receive monetary rewards according to the problem’s criticality. They follow strict guidelines for ethical security research that support software providers in remediating possible threats quickly.
Grammarly strives to explore all possible avenues to ensure product security at the highest level. We selected HackerOne as our platform to partner with for a bug bounty program because it is one of the largest platforms focused on ethical hacking and hosts a talented, respected community with formidable cybersecurity expertise. With more than 300,000 registered hackers, the platform allows for scaling a global vulnerability-watch program around the clock. Some of the world’s largest and most notable technology companies have also partnered with HackerOne.
Setting up a successful program
To launch our public HackerOne bug bounty program, Grammarly’s Security team coordinated with teams across the Engineering organization to create a clear and detailed set of rules outlining how the company can productively work with hackers. This includes specifications about what vulnerabilities are most crucial for the HackerOne community to focus on, along with requirements for submitting reports and rewards. You can see the rules and guidelines that clarify scope and focus on our HackerOne program page.
To have a strong bug bounty program, we engage actively with the community. Here are a few principles that the Grammarly team keeps top of mind:
- We maintain consistent communication: It’s essential to respond to hackers and ask them about their work. Even though the HackerOne team pre-tests reports, we also look at the rejected options to make sure we are reviewing all feedback that may be useful to us to strengthen our security posture.
- We react quickly: Speed is of the essence. At Grammarly, we pride ourselves in maintaining an extremely high score for response efficiency—close to 100%. It’s vital that we respect the work of the researchers, many of whom are doing the work out of care for our product and interest in promoting secure software.
- We provide motivation beyond standard remuneration: Grammarly makes sure to provide monetary bonuses to researchers who send in quality reports—even if they have not yet found critical vulnerabilities—so these researchers stay engaged. We also provide bonuses to security researchers who aren’t just looking for individual bugs but are building complex attack scenarios consisting of several vulnerabilities. We want to encourage complex analysis.
Ensuring swift remediation
Our HackerOne bug bounty program helps us to deliver a product that is safe and secure for all our users and customers. Central to achieving this objective is making sure our team promptly responds to reports from security researchers—and then works with teams across our Engineering organization to remediate as quickly as possible.
To ensure we are doing so, Grammarly maintains an official, structured process to swiftly address any vulnerabilities. Our Security team manages all incoming reports, directs the report to the necessary team, and collaborates with engineers to provide necessary input and project management to resolve issues.
Once we solve for any potential vulnerability, Grammarly’s engineers then need to be able to deliver the fix to all users and customers immediately. That’s why we maintain consistent update mechanisms that keep in mind all functionality requirements—so all customers can trust that they always have the most up-to-date and secure version of our product offerings.
Building on bug bounty success
Since the 2018 launch of our public bug bounty program on HackerOne, Grammarly has seen extraordinary commitment from the security researcher community. To date, we have resolved almost 150 reports and paid more than $100,000 to 127 researchers. Stats are continually collected on our HackerOne program page.
And we are always continuing to develop the program to focus on new features and product developments. We add bonuses and other incentives to make sure security researchers are paying attention to what’s most important for Grammarly customers. As we continue to develop our writing assistant to support effective communication everywhere people work, we are consistently engaging with the HackerOne community to get the top security researchers to provide essential expert-level scrutiny.
Grammarly believes strongly in this program. It facilitates our access to the best resources to mitigate vulnerabilities and fend off any potential attackers. Millions use Grammarly every day—and each user should be able to trust that the software is as safe and secure as possible. Grammarly’s HackerOne bug bounty program supports us in this endeavor.
Learn more about Grammarly security operations, policies, practices, and attestations here.
