Salesforce paid more than $2.8 million in 2021 bug bounties, $12.2 million since 2015

Last year, ethical hackers submitted reports of more than 4,700 suspected vulnerabilities to Salesforce.
Written by Jonathan Greig, Contributor

Salesforce announced this week that it rewarded ethical hackers with more than $2.8 million in bounties for finding vulnerabilities throughout 2021. 

More than 4,700 reports on suspected vulnerabilities were submitted to Salesforce last year, and the highest bounty paid was $30,000.  

Since launching its bug bounty program in 2015, Salesforce has paid out about $12.2 million in total and accepted about 22,200 reports. More than $9.5 million of that has come since 2019, according to Salesforce data. 

Salesforce software engineer Anup Ghatage said engineering teams use data from the bug bounty program "to better understand the tendencies and methodologies of malicious hackers."

"Being able to understand the methods the hackers use to find vulnerabilities allows me to employ the same methods to better secure our software," Ghatage said.

Salesforce explained that once products and features are tested internally, ethical hackers are asked to take a crack at testing security features in sandboxes. 

As an example, they said the Trailhead Slack App was used as a bounty promotion in August before it was released in September. One hacker who participated in the program, Inhibitor181, said he started out in ethical hacking after becoming a developer. 

"Not only is it more stimulating and less monotonous to use my programming skills to legally hack into global companies' products, but it also allows me to do my part in preventing cybercrime. Not all hackers are bad," they said. 

In October, Google and Salesforce announced the creation of a vendor-neutral cybersecurity baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to "raise the bar for security while simplifying the vetting process" for third-party vendors.  

Editorial standards