As the world’s leading AI communication assistant serving more than 30 million people and 50,000 teams daily, Grammarly’s top priority is to ensure the data its customers trust it with remains secure and private. To strengthen that trust and guarantee that every new product version is exposed to security researchers, with validation and testing happening around the clock, Grammarly turned to cybersecurity company, HackerOne. Suha Can, CISO of Grammarly, dives deeper into how the company went above and beyond standard security practices to provide the most secure and private product possible, and Alex Rice, Co-founder & CTO, HackerOne, offers his input into how it worked with Grammarly to improve the company’s security strategy.
In mid-2017, Grammarly was in the early stages of accelerated growth. To ensure robust security as it scaled, it wanted to understand where there might be existing and potential gaps in its security. The organisation was also eager to give its users additional assurance that its product was secure.
The idea to implement a bug bounty program was introduced by Grammarly’s engineering team and supported by executive leaders as a top priority. Grammarly launched a private bug bounty program with HackerOne Bounty in September 2017. It knew ongoing collaboration with a talented group of security researchers would lead to a better, more secure product. The Grammarly team worked with HackerOne to define program policies, scope and best practices for reporting metrics, bounty rewards and response SLAs. HackerOne also assisted Grammarly in planning the long-term hacker-powered security program, which would ultimately include a public HackerOne Bounty program and HackerOne Pentests. The result was a successful bug bounty program supported by healthy performance and engagement metrics. The private bug bounty program showed a quick return on investment and early findings resulted in systematic changes across all production environments to ensure end-to-end protection.
Suha Can, CISO of Grammarly, tells us more about how the organisation achieved what it set out to.
Can you give an overview of what it is that Grammarly does and how you remain the world’s leading writing assistant?
Grammarly is an innovative AI company and it’s all about enabling people to compose, revise and comprehend what they’re writing, wherever they’re writing. Privacy is at the centre of all our offerings. We have individuals using Grammarly to write, we also have businesses leveraging Grammarly within their workflows to increase their productivity, to be more on-brand with their tone and overall to improve their communications. Our mission is improving lives by improving communication.
What did you set out to achieve ahead of your collaboration with HackerOne and what were your strategic priorities?
The main starting point for us was that we wanted to know what we didn’t know and this led us to HackerOne. We use third party companies to come in and test our security and compliance controls. We have our own internal red team that does end-to-end offensive security operations to identify and mitigate issues, but all of this is not enough because we don’t believe we are smarter than the entire community of ethical hackers. Grammarly has a lot of different environments it runs on: a browser extension where you’re writing in the browser; desktop software; web services; an Android keyboard, so considering the multitude of platforms, there is a significant variety of different attack surfaces. I don’t think any single company can have internal expertise that they can claim across all these areas. This was really appealing for us early on because there’s a global community of hackers with all sorts of different expertise and we really benefitted from this.
How did you go above and beyond standard security practices to provide the most secure product possible?
We do a lot of fundamental security practices that other companies do but for us, trust is paramount. There are three pillars of success for us: trust, context and ubiquity. We bring personalised context as someone is writing so that we can provide the best assistance possible for them to drive better business outcomes. We are ubiquitous, providing seamless communication assistance across 500,000+ apps and websites. Lastly, to achieve ubiquity and context, we hold a high bar for trust, privacy and security. We have the highest standards possible, including third-party security scrutiny on a continuous basis.
How did you work with HackerOne to ensure that every new product version is exposed to security researchers, with validation and testing happening around the clock?
With HackerOne, when you put something out there, it’s continuous. The attention is continuous and with security, things often regress – so you will build a control and launch it, it works perfectly at that point in time but the whole product changes. Whatever mitigation you think is there is no longer there, or there is a security incident and you need to remove a bunch of alerts. So, the continuous aspect of HackerOne iswhat is very appealing and gives us confidence.
How did the launch of the public bug bounty program mean you could immediately identify potential vulnerabilities as the product evolved?
We have a security software development life cycle and anything new that launches will typically be included in our bug bounty program. The team knows that when it launches a new feature, we expect it to have added it to the HackerOne bug bounty scope on day one. Our team works closely with our development team and there comes a point where we have done our security review and found all that we can, we know you will launch it soon for customers, so let’s just make these features available in our bounty program even in advance of that launch. In some cases, this definitely yielded us new insights that we had not thought about, long before our product is launched and adopted by our customers. We are super proactive about this, it’s part of our security development life cycle.
How do you ensure security is a continuous process within your operations and how would you now describe your organisation’s security culture since working with HackerOne?
Working with HackerOne has definitely helped us to have a security culture that is really developer-driven because ultimately, security is everybody’s job but developers make a lot more security decisions on any given day, compared to security engineers or security researchers. We have a security champions programme where each large product area has a particular champion communication channel (via Slack) and it’s all created out there in the open. Whenever there’s a new HackerOne ability, as soon as it’s triaged it’s shared in the channel automatically in our communication platform (Slack). People quickly engage with it so it’s deeply integrated into our security culture.
Alex Rice, Co-founder & CTO, HackerOne, expands on this.
Do you have any advice for CISOs in terms of improving their security programme?
A great lesson for CISOs is just to stay humble with your security programme. Grammarly clearly has a thoughtful industry-leading security programme with pentests and red teams and scannings and secure software development life cycle and developer education and all these things, so it doesn’t think it’s smarter than everybody else out there. It knows it has things it’s missing and the organisation is structuring its security programme around that. I encounter way too many security teams that can’t admit to themselves that they’re not perfect and they present this invulnerability which is wholly incompatible with how modern software is built. I hope that anyone reading this can take away a ‘stay humble’ mentality – it will take them a long way.
What was your company strategy going into this and how would you summarise the collaboration?
Something that was very clear from the beginning with Grammarly was that the engineering and development team were deeply involved and engaged in getting this right. It sounds like such a simple thing to say on the surface, but in practice, only a minority of our customers have an engineering leader or technology leader engaged in earning the trust of their customers. So, we were thrilled when Grammarly came on board and I think that really influenced how we approached the partnership.
I think some elements of that are reflected in how I talked about the programme that are unique to technology led organisations versus areas where security is a bit of a bolt-on risk management function at the end. We definitely tailor our engagements to match those two personas. We have customers that are very clearly technology driven and we have customers where security and privacy is a cost centre trying to minimise downside to the business and I think it really shows when a partnership leads with this being a core part of the solution.