TikTok's Global Security Organization (GSO) serves as the foundation of our efforts to keep TikTok safe, secure and operating at scale for over 1 billion people around the world. As a global team, GSO has offices in places like New York, Washington DC, Dublin, San Jose, and Singapore. The team focuses on issues like cybersecurity, data protection, incident response, and certifying compliance with global regulations wherever TikTok operates.
Another major role that GSO plays is to constantly monitor TikTok's apps, systems, and APIs to find vulnerabilities that could be exploited by bad actors and potentially harm TikTok or our community. The team in charge, known as Vulnerability Management (VM), receives reports on these potential issues from a variety of sources, triages the findings, and then works with the appropriate product teams to remediate them as quickly as possible in order to keep our community safe.
Suhana Hyder, who leads the team, explains their work simply, "I always feel like we're superheroes. We're trying to find issues and get them fixed before they can impact the platform or our users. It's a very exciting feeling."
TikTok's own security superheroes receive vulnerability reports from a variety of sources, like internal and external penetration testing teams. For the past four years, they have also worked with HackerOne, a trusted partner company that provides security researchers or ethical hackers with a platform to report vulnerabilities to companies like TikTok. These researchers receive bounties for valid "bug" they find in our system.
In late July and early August of 2024, the VM team held a Live Hacking Event through HackerOne, following up on a similar effort last year as part of the Ambassador World Cup. During this two-week event, TikTok's bug bounties were increased, the scope of work was narrowed, and 50 of the world's top ethical hackers from 29 countries probed our systems to help us find and patch vulnerabilities. Of over 300 reports that were submitted, more than 100 were valid vulnerabilities, and we awarded a total of $721,695 in bounties to the researchers who helped us keep the TikTok platform safe.
Zhaohong Liu from the VM team described the live hacking event, "This was such a great activity. We were very happy to engage with these top-level hackers in person. We saw so many high-quality reports, even more so than we see in our main bug bounty program. We also received a lot of valuable support and collaboration from cross-functional teams to make this event possible."
Due to the increased volume in reports and the shortened timeline, VM worked with other internal teams like TikTok Security Assurance, Singapore Security Assurance, and the Global Security Organization's Attack Surface Management team, which triaged about 50% of the reports that came in during the live hacking event.
Highlighting the cross-functional collaboration, Suhana Hyder said, "We could not have done this without them. This live hacking event yielded so many valid reports, and that level of triaging required us to be available 24 hours a day, five days a week. Security is a team sport, and we're grateful for the collaboration."
The vulnerabilities found and patched through this effort help to protect not only the TikTok platform, but also its global community. Singapore technical team lead Ethan Liu put it plainly, "Knowing that we patched another loophole, another vulnerability that could have impacted our platform is the most rewarding part of our job. I love knowing that we fix problems before bad actors can use them to hack our systems. I love knowing that we're contributing not only to the company, but also to the entire TikTok community. The work we do is keeping them safe."
If you're interested in helping to keep the TikTok platform and its community secure, explore the open roles in security today.
