Security at Great Question: Raising the bar with a bug bounty program

From day one, data privacy and security have been non-negotiable values at Great Question. Within three months of founding the company, we completed our first penetration test, and within nine months, we had achieved SOC 2 Type II certification. Just nine months later, we became HIPAA compliant.

Data governance features are built into the very core of our platform:

• Data obfuscation to ensure users only see what they need to see
• Data retention controls that let you delete information on your terms
• Eligibility criteria that prevent the wrong person from being contacted at the wrong time

In addition to annual audits, pen tests, and internal phishing simulations, this quarter we also launched our bug bounty program with the help of the amazing team at HackerOne, a global leader in offensive security trusted by IBM, Salesforce, and Anthropic.

What’s a bug bounty program?

A bug bounty program invites some of the best security researchers on the planet to responsibly identify and disclose potential vulnerabilities—before the bad guys find them. These white-hat hackers proactively test our platform for novel and elusive weaknesses, and we reward them for making it safer. Like a pen test, but continuous and researcher-led.

When a vulnerability is discovered, they submit a report with a severity level so it can be resolved:

• Low severity: Access control issues, bug reports (not necessarily security-related)
• Medium severity: PII leakage, user access to end-points they shouldn’t have
• High severity: Risk of account takeover if signed into a platform and persuaded by an attacker to click on a link

In the context of UX research, a worst-case scenario might look like:

An attacker steals API tokens from users simply by having them visit a link. With API tokens in hand, they could then delete all research studies from an account, send disturbing emails to customers who have participated in studies, among other malicious actions.

With always-on testing from the largest global community of trusted security researchers, Great Question customers can rest easy knowing their data is, and continues to be, as safe as possible.

What’s next?

This initiative is just one more layer in our commitment to proactive, transparent security practices. We’re proud of what we’ve built, and even more excited about continuing to raise the bar.

If you’re a researcher and want to participate, keep an eye on our HackerOne program. If you’re a customer, know that your data is in increasingly safe hands.

Want to learn more? Book a call with our team.