How Cake uses bug bounty programs as a tool for security transparency 

“Having a bug bounty program closely aligns to our values. It shows we want to be open about security. We also want to use the wisdom of the crowd to get as much feedback as possible.” 

Cake’s experiences with bug bounty.

About Cake

The free and independent banking app, Cake, allows its users to connect all their bank accounts into one central place, get a clear overview of their transactions and automated insights into their spending habits. It also makes bank accounts profitable again by giving the opportunity to earn cashbacks on purchases.     

Cake’s commercial model openly uses its user data to create reports and statistics about what consumers are spending on, which they then sell to companies. Privacy is a big selling point for the app: “Privacy and security are the basis of everything we do.” User data is anonymised and aggregated. 

The challenge: Ensuring user data is continuously safe 

Building a financial service or product comes with operational and security risks — and Cake is no exception. The financial banking app has access to around 140,000 bank accounts in which they’ve processed more than 150 million transactions for a total monetary value of €36 billion. 

Cake’s Co-founder and Head of Engineering, Pieter Schelfhout, explains the importance of security within a banking app: 

We have access to very sensitive information, so the security and privacy of our user’s data are important to us. When you build something in the financial sector, you want to make sure that what you build is built securely.

For these reasons, Pieter was keen to encourage researchers to continuously try and hack Cake’s systems to expose the vulnerabilities that his team might miss. 

After some research, he decided to launch a set of bug bounty programs on the Intigriti platform. Like Cake, Intigriti is a Belgian startup with big ambitions — and Pieter was also keen to work with a company that offered flexibility in terms of their security testing setup needs. 

The solution: Launch a private and public bug bounty program 

Cake’s first program on Intigriti is public and focuses on its consumer-facing app. Security researchers (ethical hackers) on the platform can report issues continuously, meaning Pieter’s team always have the latest insights into the app’s security posture. 

Cake also runs a private program through Intigriti, which focuses on the app’s back-end applications. A select few security researchers contribute to the program, which began with them being shared login credentials so that they can safely test for security vulnerabilities. 

The result: Faster fixing of potential security issues 

The programs have successfully given Pieter’s team greater visibility over the app’s attack surface: 

One of the biggest advantages of using a bug bounty program and relying on a community of ethical hackers is the many different perspectives you get on your application. Our bug bounty programs have been a real success and we’ve been able to find several issues that we were able to fix quickly, thanks to Intigriti.

Pieter also explains why he is satisfied with the interaction his team gets on the platform and from the community testing their applications: 

You can tell that you’re working with a series of passionate ethical hackers. They will write very detailed reports about their findings. Our team then works with the hacker to mend the issue on our end, and the hacker will test the issue again once we’ve resolved it.

Bug bounty closely aligns with transparency & openness values 

Cake’s vision is to develop more tools for its users to improve their financial savviness. As part of the roadmap to achieve this goal, transparency and openness towards its users is vital. Pieter explains how their bug bounty program is a key part of this journey: 

Having a bug bounty program closely aligns to our values. It shows we don’t just want to do security; we want to be open about security and try to use the wisdom of the crowd to get as much feedback as possible. 

Learn more

Intrigued by what you have read? Want to know more about bug bounty programs? Get in touch to request a demo with a member of our team today.