A Bounty of Security

“Do what’s best for the job seeker.” This has been Indeed’s guiding principle since the beginning. One way we put the job seeker first is by keeping their information safe and secure. We always consider the security of our systems as we develop the services that millions of people use every day. But someone will outsmart us. Hackers are always trying out new ways of bypassing security and gaining access to systems and information. Our challenge: to bring these security experts over to our side and benefit from their findings.

lock_and_chain

Image by stockarch – stockarch.com (Licensed by Creative Commons)

Our answer to this challenge is, well, money. Actually, money and fame. Indeed offers security testers a legitimate route to reporting their findings, and we award them for their time with cold, hard cash and recognition. Through our bug bounty program we have awarded over 300 submissions in the past year and a half, with payouts as high as $5,000 for the most severe bugs. Our most successful participants (looking at you, Angrylogic, Avlidienbrunn, and Mongo) have earned cash while building their reputations as highly regarded testers for Indeed.

 

Reward amount per submissions in the last 18 months
Criticality Reward Amount Relative Submission Counts
CRITICAL Up to $5000 0.7%
HIGH Up to $1800 4%
MEDIUM Up to $600 31%
LOW Up to $100 64%

Why create this program?

Prior to our bug bounty program, we occasionally received messages that sounded like blackmail. An anonymous person would contact us, insisting that we pay them, or they would publicly release the details of an unspecified, but totally serious, security bug. These individuals expected payment up front, with no guarantee that they even had a bug to expose. While we’re happy to compensate researchers for helping us improve our services, we didn’t want to encourage this coercive behavior. It felt wrong.

To solve the mutual distrust, we started using Bugcrowd.com as an impartial arbiter. On Bugcrowd, security researchers are more willing to provide evidence up front, giving us the chance to fairly assess the bug’s severity. Indeed can now provide rewards without abuse, and everyone lives happily ever after…

Theory vs practice

“Happily ever after…” is more difficult in practice. Since the program started, we have received almost 2,500 submissions, each issue potentially taking hours to validate. Every time we advertise our bounty program or raise our payouts, we see a large spike in submissions. To an outsider, it might look like we’re dragging our feet, but in reality, it’s all hands on deck to reply to these submissions. This blog post alone will generate several more hours worth of bug validation thanks to the increased visibility of the program.

We initially struggled to quickly respond to testers’ submissions, creating a backlog. This backlog grew because we received more submissions than we had time to process. We ended up doubling down on our efforts over a painful couple of weeks and then implementing a new standard for response time. Since then, response times have been under control.

 Bugcrowd_TicketDaysSum of open Ticket Days over Time

Note: The value of Ticket Days is the sum of days that every ticket is open on a particular date. For example, on a given date, one ticket open for 3 days + one ticket open for 2 days = 5 Ticket Days.

Communicating clearly with the researchers is also important, so that they don’t think we are trying to take advantage of them. We keep in mind that they don’t have as much visibility into the process as we do. One common issue is handling duplicates. Paying for an issue the first time you hear about it makes sense, but how should we handle a duplicate submission from another researcher? The second submission doesn’t add any additional value, but from the tester’s point of view, they found a real bug. Clearly communicating why you are marking a ticket a duplicate and quickly fixing identified issues helps minimize this concern. In some cases, we decide to pay for the duplicate if it has great reproduction steps and a proof of concept.

Finally, we’re working on balancing the time we spend finding new bugs and fixing known bugs. Building and managing a popular bounty program leads to lots of good submissions, but that all falls to pieces if we don’t also spend the time fixing the bugs. At Indeed, the benefits of investing time improving our bug bounty program can’t be overstated.

Our successes so far

It seems we’re doing something right. Bugcrowd recently asked their security researchers which company’s program was their favorite, and you’ll never guess who won!

…Tesla won (we blame those fabulous Teslas). But we took runner up, with 8% of all votes, racing against over 35 other programs. Many of the specific responses for our program referenced our fair payout practices, great communication, and permissive scope. While we know that we can still rev up the experience, we are happy for the validation that we are headed down the right road.

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Share on RedditEmail this to someone

Forget Methodology — Focus on What Matters

At Indeed, we tackle interesting and challenging problems, at scale. We move from idea to implementation as fast as possible. We ship incremental changes, pushing code to production frequently. Our small releases reduce risk and increase quality.

But before we work on any solution, we ask: how will we measure success? This question keeps our solutions focused on what matters — measurable results.

Our approach to software development might be called “measure-learn-evolve.” Our teams employ techniques from various software development methodologies, but no single published methodology rules. We collaborate, we iterate, and we measure. Sometimes we succeed, sometimes we fail, but we are always learning.

MeasureLearnEvolve_blog

We don’t view process implementation and improvement as success. Process is a means to an end. Process doesn’t deliver a successful product. (People do.) Process doesn’t provide talent and passion. (People do.) But the right process and tools can help people do those things and provide predictable mechanisms for:

  • planning what we need to do and setting relative priorities
  • communicating what we are doing or might do
  • remembering what we’ve done
  • managing our risk

We use Atlassian’s JIRA to implement these mechanisms. In JIRA, we propose ideas, define requirements, and plan projects. We document dependencies, track work, and manage releases. We describe experiments and record results. Customizing JIRA to our needs has helped us collaborate on success metrics and maintain our engineering velocity.

It wasn’t always this way. We started simple. We were a startup and we focused on getting stuff done, quickly.

As we grew, we didn’t want to lose this focus on getting things done quickly and with quality. But our ad hoc process was neither repeatable nor predictable. Inconsistencies abounded and we were not creating a memory for the future. So we began to model our development process in JIRA.

Customizing JIRA

We have our own JIRA issue types, workflows, fields, and roles. These customizations allow us to plan, communicate, and deliver our software in the way we want.

Linking custom project types

We use two types of JIRA projects for product development: a “planning project” that corresponds to the product, and an “engineering project” that corresponds to a deployable application or service.

Our planning projects contain Initiative and Experiment issues. We use the Initiative type to capture goals, plans, and success metrics for a product change. We plan product initiatives each quarter, and we iterate on them throughout the quarter. As part of that iteration, we use the Experiment type to describe specific ideas we want to test to optimize our products.

The engineering projects include issues that detail the implementation necessary for the initiatives and experiments. Each deployable application or service has a corresponding engineering project. Issue links connect related issues to one another. JIRA provides multiple types of bi-directional links. The following table gives examples of how we use them.

incorporates / incorporated by Product initiatives incorporate engineering project issues.
depends upon / depended on by Issues can depend upon on other issues. This can model feature development dependencies or deploy order dependencies, for example.
references / referenced by An issue for a functional regression references the project issue that introduced the bug.

Issue types and workflows

We use JIRA’s standard issue types: Bug, Improvement, New Feature. The workflow for these standard issue types is a slight modification of a typical JIRA workflow:

  1. We create an issue and assign it to a project lead. The issue transitions to a Pending Triage state.
  2. If we can target work to a near-term release, we triage the issue, setting its Fix Version and assigning it to a developer. The issue then moves to Pending Acceptance. We move other issues to On Backlog.
  3. The developer accepts the issue, moving it to Accepted when they make a plan to start work.
  4. When the code is complete, the developer resolves the issue, moving it to Pending Review.
  5. After code review, we transition the issue to Pending Merge.
  6. When we’re ready to create a release candidate, we merge changes into the release branch and deploy to the QA environment, transitioning the issue to Pending Verification.
  7. The QA analyst verifies the work and either reopens the issue or verifies it, transitioning it to Pending Closure.
  8. After we verify all issues in a targeted release, we can release the build to production and move all the issues to Closed.

We also use custom issue types to model our process. In a previous post, we described the ProTest issue type (short for Proctor Test). We use this custom issue type to request new Proctor A/B tests or to change test allocations.

We have another custom issue type and associated workflow for localization. As we continue to grow internationally, we need a localization process that doesn’t slow us down. Coordinating with many translators can be a challenge, so we model our translation process in JIRA. Our Explosion issue type incorporates an issue for each target translation language. The workflow follows:

  1. We create an issue with English strings that require translation.
  2. We triage the issue and submit it for review.
  3. When the strings are ready to be translated, an automated step creates one Translation issue for each target language and links them all to the Explosion issue.
  4. Each “exploded” issue follows its own workflow: Accept, Resolve, Verify and Close.
  5. When all Translation issues are closed, we verify and close the Explosion issue.

The Explosion and Translation custom issue types and workflows help streamline a process with many participants. Because we triage by language and feature, translation issues do not block the release of an entire feature. Using JIRA also allows us to integrate machine translation and outside translation services.

Team triage

Many of our development teams use dashboards and agile boards in JIRA for easy access to issues associated with a product. During routine triage meetings, product development teams use these tools to prioritize and distribute development work.

Closing the memory loop

Each code commit in Git is traceable to a corresponding issue in JIRA. Further, if the referenced JIRA links to the initiative, the trail leads all the way to the initiative. This means that an engineer can review any code commit and follow the trail in JIRA to understand all related implementation details, requirements, and business motivation.

Production deploys

Deploying code to production requires clear communication and coordination, and our Deploy issue type helps us track this process. Using JIRA to track deploys results in smooth handoffs and transparency for all stakeholders.

A deploy ticket is associated with each Fix Version and has a unique workflow that facilitates communication for moving artifacts through the build and release process. We use issue links to document all sysadmin tasks necessary for a successful deployment. The deploy ticket has the same fix version as the other issues in the release.

Most teams plan their work weekly but deliver to production as they complete the work. On some regular cadence – semi-weekly, daily, or more often – the release manager creates a release candidate from all open merge requests. We developed an internal webapp that coordinates across Git (branch management), JIRA (code changes and deploys), Crucible (code review), and Jenkins (build). Status changes to the deploy ticket trigger issue reassignments, promoting smooth handoffs.

This approach provides our teams with the information they need to assess and manage risk for their production releases. The QA analyst can better understand potential regressions that a change may cause. The release manager can have a holistic view of what’s changing and quickly react when issues arise. And small releases make bug investigation more straightforward.

Working in the open

JIRA enables effective, efficient collaboration for our software development and deployment process. We use it to clarify requirements, discuss implementation choices, verify changes, and deploy to production.

Across teams and up and down the organization, our use of JIRA provides transparency into the work that is getting done. By working in the open, we can achieve a shared understanding of plans, progress, and challenges for hundreds of active projects and initiatives.

Do what makes sense for you

Methodology and process only help when they provide repeatable and predictable mechanisms for planning, communication, and delivery. JIRA has helped us establish these mechanisms.

Try to avoid taking a methodology “off the shelf” and implementing it. And don’t depend on tools to solve your problems. Instead, think about how your team needs to plan, communicate, and deliver. Then, define the best process and tools that serve your needs. Iterate on your process as needed. And stay focused on what really matters: success.


Adapted from Jack Humphrey’s presentation at Keep Austin Agile 2014.

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Share on RedditEmail this to someone

Interns Help People Get Jobs

At Indeed, an internship isn’t just a summer job, it’s a full-time experience. We immerse interns into our world of software engineering. Interns experience an exciting company culture and explore all that Austin has to offer. More importantly, we provide challenging projects that allow interns to make their mark at the company (in fact, one of our first interns is now our CTO).

interns_pic1

Indeed interns on a food truck tour at Micklethwait Craft Meats

Our goal is for interns to help people get jobs, have fun, and promote Indeed. To achieve these goals, we start with an engaging, challenging, and well-defined intern project.

Defining an intern project

The choice of project is crucial to a successful internship. We put a lot of effort into defining projects, because we want all our interns to have a successful summer. An ideal intern project is:

Self-contained. If the project depends too much on other projects, those dependencies could slow down the intern’s progress.

Well-defined. The intern doesn’t have to wait on requirements and can get to work right away.

Appropriately scoped. The intern should be able to complete the project in three months.

Fun and flexible. The project allows room for the intern’s creativity.

Before interns start on their projects, mentors introduce them to Indeed tools and processes. Each intern deploys a small, contained code change by the end of their first week. When the code goes live, per Indeed tradition, the intern rings a gong and everyone applauds.

After this training, interns dig into the technical challenges of their projects. Mentors provide continuous advice, introductions, and general support.

The art of mentorship

Our software engineers who volunteer to be mentors are passionate about helping others and growing their own skills. Mentoring develops skills that engineers can leverage in their everyday work. Mentors learn the value of investing time to support others. They learn when to help out and when to take a step back. And they learn how to inspire and motivate.

For example, a mentor customizes the phases of a project to fit an intern’s skills and interests. Mentors listen to interns, assess their work, and give them room to be creative. For some engineers, mentorship provides a leadership opportunity that informs their future career decisions.

Location, location, location

Sometimes, the most enlightening part of the internship isn’t the job or the technology. The Indeed internship program provides a realistic view into the work life of a software engineer. For Indeed interns, this life is set in Austin, a city renowned for live music and food trucks. In Austin, you can find roller derby, chamber music, and everything in between.

Indeed’s University Recruiting team organizes events so interns can get to know the city and each other. Past events included a party barge on Lake Travis, a Segway tour downtown, and go-kart racing. Interns work hard on their projects, and Indeed works hard to make their summer a blast.

interns_pic2

Intern Segway tour of downtown Austin

Case study: One intern’s success story

Tom Werner (University of Iowa) interned at Indeed during the summer of 2015. His project involved building new features that employers could use during the hiring process — features that let employers view interviewer metrics and check interviewer availability.

This project was challenging in several ways. First, Tom was new to the world of front-end web development, but his project required creating an intuitive and simple webapp. Additionally, Tom collaborated with another team to gain access to interviewer data. Finally, he needed to ensure each employer could only access their own data. Implementing this access control required testing and fixing the existing data segmentation infrastructure.

Tom was quick to accept these challenges. As a self-directed and fast learner, he completed the core goals of this project in half of the scheduled time.

Now what?

Tom then had over a month to work on other useful features, based on his interests. He addressed security concerns, and he created admin features for the webapp. Specifically, Tom developed an access control list interface for user permissions. This interface allows designated employer admins to manage their own user permissions. Without this feature, employers would have to contact Indeed to make permission changes.

Tom also improved the interface employers use to manage information about their interview funnel. He added more filtering and configuration options, including creating, editing, and copying funnels. Tom’s work improved usability for employers as well as internal Indeed users.

Demo time

Because of Tom’s excellent work, his mentor asked him to demo his project to a large internal group that included the broader product team, recruiters, and executives. Everyone was impressed by Tom’s contributions to the product.

No limits on success

Tom’s talent and dedication made his internship a great success. Indeed gave him opportunities to showcase his abilities, and he went beyond our expectations. Tom delivered on business needs while bringing his own creativity to the project, a balance to which we always aspire.

Everybody wins

Tom was just one of 27 Austin interns in 2015 who helped Indeed achieve our goals. Another Indeed intern developed a webapp to display international marketing metrics. Xingtong Zhou (University of Michigan), who is now a full-time employee, created the webapp to help marketing analysts identify countries where we need to adjust our marketing investment. With better international data, we are able to make smarter investments in international growth.

Interns bring a fresh perspective that inspires innovation in our products and technologies. They contribute to the vibrancy and energy of our work environment. They return to school and share their experiences, helping us build a great campus reputation and attract the best full-time talent.

The ultimate goal of our internships, however, is to gain full-time Indeed employees. An internship is a lot like a three-month-long job interview, giving interns the unique opportunity to showcase all their skills. And we have the opportunity to give interns a glimpse into just how exciting it can be to work at Indeed. When interns return to Indeed as full-time employees, they have the added benefit of starting a job they already know is the right fit.

The bottom line: when interns have a great experience, Indeed thrives. If you’re interested in an internship at Indeed, please email university-tech-recruiting@indeed.com.

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Share on RedditEmail this to someone