Skip to main content

What is SevHunt?

SevHunt is a platform that you can use to run and manage an Internal Bug Bounty program.

With Internal Bug Bounty programs, your employees act as the security researcher, poking at systems that external programs would never have access to. Instead of cash, SevHunt lets you award your team with points that can be exchanged for exclusive swag.

Here's a bit more detail on what SevHunt offers:

A place to report security bugs

SevHunt is a centralized location for your employees to login and report bugs to your security team. Once reported, bugs are triaged by your security team and, if found to be legitimate, awarded with virtual points to be exchanged with rewards.

You can think of it a bit like an issue tracker with security controls, notifications, incentivization, and collaboration built-in.

A reason to report security bugs

When the triage team accepts a report as being valid, the reporter (your coworker) gets awarded with points. You can think of points like tickets in an arcade - valuable in context, exchangable for goodies, and really satisfying to collect.

Points are spent in your Store, which you also configure through SevHunt. Your Store is a "light" e-commerce site - you configure products, review incoming orders, and manage fulfillment all without leaving the platform.

We aren't opinionated about what products you place in your store - some companies may already have a swag/design team they can lean on, others may feel more comfortable giving out gift cards. If it gets your team reporting bugs, you've done a good job!

A modern, collaborative triage experience

Reports in SevHunt are non-linear, in that your team collaborates to refine a bug's summary and replication steps without having to go back and forth in the comments. No more opening a report and being bombarded with its entire history.

That collaboration happens in real-time, with the reporter and triage team working together throughout the report's lifecycle. In an external program that'd be harder (who wants to leak corporate drama), but in an internal program there's an implicit trust that makes the entire process feel a bit friendlier.

Privacy for your most terrifying bugs

SevHunt uses client side encryption for everything involved in the reporting flow: titles, summaries, replication steps, replies, and even file uploads.

When a user submits a report, they first encrypt it using your organization's public key. Later, your triage team can decrypt it using organization keypairs they share with other admins. Users and organizations can always rotate to new encryption keys, either as a part of normal hygine or if your keys (all) become lost.

Note that not all data in your organization is encrypted: user info, products, orders, hunting instructions, and program updates are stored in plain text so they can be accessed by your company without a mass-shared encryption secret.

This is done more for our peace of mind than yours - we don't want to know your security bugs, and don't want a compromise on our side to affect your privacy. Our database could leak today and your secrets would still be safe (pending great advances in quantum computing, we suppose).

Funny anecdote from a conversation about SevHunt's encryption scheme:

"Why do all this work to encrypt data if no one else does?"

"I don't know, it was pretty hard. I guess either they're really busy, or they really want your data."