‘More efficient than a pentest and it generates trust’: TeamViewer’s Bug Bounty story so far

October 24, 2024

Two men deal with an IT issue on a laptop, with one man holding a tablet, in the context of TeamViewer security

Bug Bounty often beats pentesting in terms of both the breadth of skills available and the depth of their deployment, according to TeamViewer’s senior project manager for security.

“The program provides us with a broad access to talent”, said Michael Gillig in a recent YesWeHack webinar about TeamViewer’s Bug Bounty journey.

In particular, he said he valued how hunters often hyper-specialise in specific technologies, such as certain authentication methods. “They are digging really deep into our products,” he said.

Consequently, when TeamViewer’s first Bug Bounty Program (BBP) went public, “a few things were revealed that were missed by a pentest before. That was partly surprising,” recounted Mr Gillig, who oversees BBPs at TeamViewer, whose remote access/control software has been installed on more than 2.5 billion devices worldwide.

‘Neverending pentest’

Nevertheless, the Germany-headquartered company still does a lot of pentesting. “I would like to shift some capacity away from classic black-box pentesting towards Bug Bounty – and I’m pretty sure I could,” said Mr Gillig, pointing out that a BBP “is like a continuous, never-ending pentest with a large number of resources.”

Given “our software has very high security requirements, because of the special nature of remote-control software,” customers request pentest reports for assurance of cyber resilience, said Mr Gillig.

However, he feels Bug Bounty is gaining more credibility as the testing model becomes more widely understood. “Customers really like that we run a Bug Bounty Program. It generates trust and shows strong commitment to security,” he says. “There is nothing to hide” when you run a public program. “If you discover and report a vulnerability, we will give you a reasonable financial reward.”

Bug Bounty journey so far

TeamViewer, an official global partner of Manchester United, began its YesWeHack partnership in 2021 with the launch of a Vulnerability Disclosure Program (VDP), which Mr Gillig said “you can spin it up in a few hours”. Hunters are recognised for their contributions through a hall of fame and, sometimes, small gifts.

“Our VDP helps us to maintain a high Bitsight Security Rating [TeamViewer is ranked in the top 1% of the tech industry], which is becoming more important to customers and prospects,” said Mr Gillig.

The first private Bug Bounty Program was launched in 2022 and went public in 2024. The rewards – now up to €10,000 – have grown steadily since launch. A second private program is now underway for another product.

Initially very narrow, the public scope now covers the entirety – web domain, desktop clients, Login service, management console and smartphone apps – of TeamViewer Remote, the popular remote control software for IT technicians.

A cautious start

TeamViewer’s first scope was pentested immediately before the BBP launch. “In retrospect, that was unnecessary,” conceded Mr Gillig. “A private program is a kind of pentest,” he said – and a particularly effective one.

“Today, I would not be afraid to start with a less mature scope,” he added, noting that the bug flow could have been kept manageable by inviting fewer hunters and offering smaller rewards at the outset.

And even if the workload had become unmanageable, he added, “you can pause the private program at any time”.

TeamViewer began with 50 hunters and reached around 300 before the first program went public.

Joining Mr Gillig on the webinar, YesWeHack’s Selim Jaafar, TeamViewer’s dedicated customer success manager, said his team helps TeamViewer’s security team (and all customers) invite the right hunters based on their requirements, but also “how many hunters should be involved at this time, depending on the scope, challenges, constraints”.

Fine-tuning internal bug-management

TeamViewer only opened its scopes to all registered ethical hackers – numbering tens of thousands – once their internal bug-management processes were sufficiently stress-tested and optimised. “We had working processes and received vulnerability reports from external hunters before Bug Bounty – but not on this scale,” said Mr Gillig.

Fine-tuning the remediation process and improving internal Service Level Agreements (SLAs) were particularly important for eliminating bottlenecks. “When you receive a vulnerability report with a high CVSS score, development teams sometimes need to interrupt their sprints to fulfil the SLAs,” explained Mr Gillig.

Bug Bounty has enhanced handling and communication – both internal and external – of TeamViewer security vulnerabilities from all sources, said the security project manager. He also said becoming a CVE Numbering Authority (CNA) in 2021 had facilitated these improvements.

“Amazing support from YesWeHack” helped too. “Really helpful, direct communication,” added Mr Gillig, who said their customer service manager was always available for a call when needed to discuss any issues and answer their questions – even the “stupid” ones they asked early on, he added jokingly.

Value of triage

Previously averaging six a month, the number of reports “exploded” once the first program went public – vindicating the extensive preparation. Yet it still took the TeamViewer security team by some surprise. “We prepared a lot, but we didn’t expect that, to be honest,” Mr Gillig recalled. By reallocating resources internally, the volume of reports was soon reduced to a more manageable level.

Thankfully, according to Mr Gillig’s estimates YesWeHack’s in-house triage team filters out around 30% of reports, whether as duplicates, out-of-scope reports or because they are missing a Proof of Concept (PoC) or other key information.

“That is the big value of the triage team: we don’t do anything that is not worth our time to look into,” said Mr Gillig. “And the reports come to us with valuable information added by the triage team during their assessment.”

It helps that “these guys really know our products,” he added. “We gave them subscriptions so they can look deep into the product without limits .”

‘Determining CVSS is not always easy’

At first TeamViewer prioritised findings based solely on the CVSS score, but later also took account of other variables. Mr Gillig said the triage service helpfully corrects the CVSS when hunters inadvertently overestimate or underestimate the severity, although TeamViewer has the final say on how the score is set.

“Determining the CVSS is not always easy” and is a matter of interpretation, he said. “There are always discussions, with the hunter but also internally.” Given these challenges and the importance of severity, he recommends that anyone launching a BBP should “train your people in how to determine a CVSS”.

Securing more TeamViewer assets

TeamViewer is planning to add new private programs given the success of its YesWeHack partnership so far. “Bug Bounty has made our products more secure and resilient – that’s a fact,” said Mr Gillig.

TeamViewer will soon be launching a private program for TeamViewer Tensor, a cloud-based remote connectivity solution for PCs, phones, headless devices, OT machinery and embedded platforms.

‘Don’t be scared’

“What I like the most about Bug Bounty: It is a much larger scope and often more efficient than pentesting,” concluded Mr Gillig in wrapping up the webinar. “It also generates less management overhead.”

As for certain perceived ‘risks’ of Bug Bounty, Selim reminded attendees that internet-facing applications are, by definition, open to attack. “So you don’t take more risks by inviting people to hunt with a mandate, with rules, after background checks, to test it within a more secure framework,” he said. He also pointed out that clients can “set limitations depending on the nature of the asset,” such as on the tools or number of requests permitted.

Mr Gillig agreed that Bug Bounty is a low-risk undertaking: “My advice is don’t be scared, just do it – it will benefit you in many ways, you can be sure of that.”

Check out TeamViewer’s public Bug Bounty Program for further details on rules, rewards and scopes.

Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management platform? Contact our team to schedule a demo with one of our experts.