Segment receives billions of events every day from thousands of customers that trust Segment to keep their data safe. At Segment, we believe that good security is an essential part of building high-quality software, similar to reliability or scalability. In addition to the tools and processes developed by our Security Org to help software engineers make good security choices, we also rely on reviews from both traditional and crowdsourced security companies.

Bug bounties are often seen as a significant burden for the security teams that run them. You’ll hear horror stories about companies launching a bug bounty, their security team getting inundated with low-quality reports, duplicate submissions, and researchers going outside the scope of the program.

Shortly after, you'll hear about their engineering team being overwhelmed with newly discovered vulnerabilities to fix. From those that survive the opening salvo, you may hear complaints that, over time, they have stopped receiving impactful submissions.

A few years ago, when the space was less mature, critics questioned whether running a program was worth it. Now, it is expected that organizations of a certain size and maturity run a bug bounty program.

In late 2019, the Cybersecurity and Infrastructure Security Agency (CISA) of the United States published a draft directive recommending all agencies develop a mechanism to accept information related to security vulnerabilities from external parties.

In this blog post, we’ll break down how to start and manage a bug bounty program, consistently achieve good results, and maintain healthy relationships with the people that power the program.

If you’re short on time, check out the “Top Tips” section at the bottom of this post.

What’s a bug bounty?

A bug bounty program is like a Wanted Poster for security vulnerabilities. 

Companies running bug bounty programs pay independent security researchers from across the world for security vulnerabilities in their own products and infrastructure.

https://scottschober.com/bug-bounties-created-equal/

Bug bounty programs are run by hundreds of organizations, including Mozilla, Fiat Chrysler, the U.S. Department of Defense, and Segment.

Why bug bounty?

I assume most readers are already bought into the benefits of running a bug bounty.

If you’re on the fence, there are tons of independent articles, marketing docs from companies like HackerOne and Bugcrowd, and recorded conference talks, so I’m not going to cover this in detail. 

Most companies that have an internet presence or make an internet-connected device should consider running a bounty, or at least have a way for security researchers to report security issues.

It is also part of the Vendor Security Alliance questionnaire, so it may be something your customers ask you about if you are in the B2B space. 

If you don’t have a way for researchers to report issues, they will email people at your company (or any alias they can find on your website), connect with you on LinkedIn, or just tweet about the issues they think they’ve found.

It’s a much better experience for researchers, your employees, and your customers if you give the security community a clear avenue to report vulnerabilities.

Your security and engineering orgs will be regularly impressed by the creativity of the researcher community. These are people that, without internal knowledge, can find critical vulnerabilities in organizations across the world. 

Why use a bug bounty platform?

I strongly recommend using a bug bounty platform like HackerOne or Bugcrowd (we use Bugcrowd here at Segment) to help manage this process. These companies provide a platform and services to help run an efficient program.

Severity baselines

Severity baselines make it easier to tell how serious a vulnerability is, and how much time you should be spending on review and remediation.

When running a program on your own, you’ll frequently have researchers overhyping vulnerabilities. Platforms have a guided submission form, which helps researchers pick the appropriate category and rating.

Reputation system

The reputation systems reward researchers that accurately rank vulnerabilities and creates a competitive environment that benefits both researchers and program owners.

It also helps reinforce good behavior. Any researcher discipline issues have stricter consequences. If a researcher misbehaves, they may be banned from the platform. 

Disclosure agreements

To submit vulnerabilities via these platforms, researchers have to agree not to disclose the vulnerability without approval from your company.

Triage services

Both platforms also provide triage services, which I highly recommend paying for. These are the first line of defense for your internal security resources. These globally distributed teams will help clean up researcher reports, mark submissions as duplicates, and filter out low-quality reports.

Management services

These companies also serve as a knowledge base for you to learn about running a program and ask questions. You can bounce ideas off of someone that works at a company running hundreds of programs.

Integrations

Platforms have structured input with required fields and integrations with popular tools, like Jira. These make it much easier to turn a submission into a ticket for your engineering org.

Private programs

For most companies, it isn’t possible to run a private program without the help of a bug bounty platform.

We’ll talk about private programs in more depth later, but this is the recommended starting point for companies launching a bug bounty for the first time.

All of the above features free your team to focus on the security challenges unique to your business.

Laying the groundwork

Having a successful program starts with a good foundation, and it’s your job as a program owner to help set your organization up for success.

Vulnerability management

Think about your current process for handling a security vulnerability. What happens when someone internally or externally finds a security bug?

You will inevitably get more of these after starting a bug bounty program, so you must have a good way to handle these reports.

Your vulnerability process doesn’t have to be perfect, but you should have a way to prioritize and assign bug reports to the appropriate engineering team without high overhead.

Engineering buy-in

As someone starting a program, you’ll also need to get buy-in from your Engineering org. They are the ones that will have to fix the issues and will likely be the ones responding to alerts triggered by researchers.

Your alerting story doesn’t need to be perfect. But you also don’t want engineers to be woken up every time someone triggers an error because some input validation was working correctly and stopped a researcher from submitting a < symbol into an email address field.

Remember, your team doesn't have to fix every valid vulnerability immediately.

Vulnerabilities are just bugs and should be prioritized appropriately. If you’re having trouble getting your engineering org to fix critical vulnerabilities in a timely manner, you may want to direct your efforts to job-hunting instead of starting a bug bounty program 🙃

Getting started

Once your organization is bought-in, you can focus on getting things ready for the researchers.

Bounty Brief

Your bounty brief is what researchers will read to determine if they’re interested in working on your program. It’s part instructions, part rules, and part advertisement.

Keep in mind you’re competing for researchers’ time; they don’t have to work on your program when there are so many other programs.

Your bounty brief should be clear, concise, and should set expectations with the researchers. You can find the Segment program hosted on Bugcrowd.

Scope

Where do you want researchers to focus their testing? What’s in scope? What’s out of scope?

I recommend starting with assets that are easy for the researchers to access, ideally something free, that anyone can sign up for.

You should also try to pick a target that has at least medium size, complexity, and business impact. This will help you show value early, which will help you expand the program. 

Access

How do researchers get access to the scope? Are there docs they can read to help them get up to speed? We instruct researchers to sign up for our app using their @bugcrowdninja.com email address and to include -bugcrowdninja as part of their workspace slug. 

This makes it easier for us to determine if someone is part of our Bugcrowd program when we review logs and alerts. If we notice someone causing problems in our app, we can ask Bugcrowd to provide researcher coaching.

Severity

How are you going to rate submissions? Consistent severity is important because it impacts how much the researcher gets paid for a submission. HackerOne uses Mitre’s Common Weakness Enumeration (CWE) and Bugcrowd uses the Bugcrowd Vulnerability Rating Taxonomy (VRT).

Rewards

How much are you going to pay for vulnerabilities? Researchers need to know upfront how much you’ll pay for vulnerabilities so they can assess if it is worth their time to hunt on your program. 

Think about using different reward ranges for different assets. This can help control costs and also helps researchers understand which targets are more important. For example, we describe specific objects that will net a higher reward:

https://bugcrowd.com/segment

Swag

A handful of years ago, getting a T-shirt as a reward was pretty standard. I’d strongly encourage anyone thinking about running a swag-based bounty to reconsider.

T-shirts don’t pay rent and are more work for your team than sending a researcher money. What do you do when that T-shirt you sent to another continent is lost in the mail or doesn’t fit?

We reserve swag for our top performers. Sending a T-shirt requires the researcher to trust us enough to give us their address and requires me to go to the post office.

Safe harbor

Researchers want to know that they’ll be safe from prosecution when operating within the rules of your program. Check out disclose.io for more info.

Researchers want to know that they’ll be safe from legal action and exempt from your end-user license agreement(EULA) when operating within the rules of your bounty brief.

Take the time to explain what a bug bounty is, why it's important, and have a few examples from recognizable organizations ready to show them.

Understand the platform

Learn a little bit about the platform you’re using. Your actions on the platform impact the researcher. If you mistreat researchers, they will go elsewhere; without researchers, your program isn’t providing value to your organization. 

The same report status can have different meanings and impact on different platforms.

For example, on HackerOne Not Applicable reduces the researcher’s site-wide score by 5 points, and should be used for reports that don’t contain a valid issue.

On Bugcrowd, Not Applicable does not impact the researcher’s score, and is commonly used for reports that should neither be accepted or rejected. To achieve this result on HackerOne, you would use the Informative status.

If you have any questions about the platform you’re using, I strongly recommend reviewing documentation or reaching out to your account manager for help.

Start Small

Regardless of how big your company’s internet footprint is, you can start with a small scope open only to a handful of individuals as part of a private program.

In mid-2017, Segment was running a private program with 25 researchers and a single target: our app.

The early researchers invited will be some of the platform’s most trusted, and they will generally be more accepting of companies that are learning how to manage a program, as long as you pay them fairly and treat them with respect.

Starting small allows your organization to learn how to run a program in a safer environment. If your vulnerability management program has some gaps, you can fix them; if your bounty brief is unclear, you can rewrite it; if your alerts aren’t tuned properly, you can invest time into improving them. If you need to pause your program, you can relaunch later with a less negative impact.

Even while we had a private program, we would direct researchers that reached out via email to our Bugcrowd program. This allowed us to receive the benefits of the platform and triage services for all submissions before running a public program.

It’s much easier to explain to a researcher why you won’t be paying for a low-effort submission when you have a prioritization system established and enforced by a third party.

Growth over time

Like any multi-year project, your bug bounty will evolve and require ongoing effort to keep it healthy.

Additional scope and researchers

Researchers love testing new features and assets; in most bug bounty programs, only the first person to find a vulnerability receives a monetary reward.

If you started with a small scope, your program is steady, and you’re ready for more submissions, this is a great time to add more targets to your brief. 

As you add scope, keep in mind that not all assets are of equal value to an adversary. It is encouraged to specify different reward ranges for different assets based on their security maturity and value.

Open scope

Over time, you should also consider an “open scope” bounty if it is appropriate for your organization. We have listed as a target, Any host/web property verified to be owned by Segment (domains/IP space/etc.), which serves as a catch-all for anything not explicitly listed in our “In Scope” or “Out of Scope” sections.

Having an open scope bounty is enticing to researchers. Not only does it show you take running a bug bounty program seriously. It also shows that regardless of where they find a vulnerability, it will likely be rewarded (assuming it is valid, unique, and not out of scope).

Many researchers specialize in finding forgotten internet-facing assets as part of open-scope programs, and have developed their own infrastructure to identify assets and vulnerabilities to be able to efficiently earn rewards.

It’s also worth noting that there is no scope for an attacker trying to compromise your company’s security. Working towards an open scope means that it is more likely a bug bounty researcher will find and report a vulnerability before an attacker exploits it.

Early access

Over time, you’ll build trust and form relationships with particular researchers. These are great people to give early access to upcoming features. Many times, these features require manual provisioning, making them less suitable for wide-scale testing.

Early access is a mutually beneficial system in which you will receive security vulnerabilities prior to release, which makes them easier to fix. Researchers will be able to test features with less competition, which makes them more likely to earn a reward and continue testing on your program.

If the effort to set up these features is medium or higher, consider paying the researcher a grant before they start working.

Clearly communicate what you're looking for and what you expect from them. When offering a researcher grant, we want to see a short write-up of what didn't work in addition to any findings they submit. Rewardable findings should be paid in addition to the grant.

Public program

Once you’ve been running a program for a while and are confident in your company’s ability to receive vulnerabilities from the global researcher community, you should consider evolving it into a public program. 

If you don’t have a wide scope, this is a great time to revisit that decision.

Maximizing your scope (while private) will reduce the uptick in submissions when your program is launched publicly. You should also invite as many researchers as possible to your private program before going public for the same reason.

Because public programs are open to anyone, you will inevitably receive testing from a lot of newer folks that will pay less attention to your bounty brief, so having a wide scope helps in this regard as well.

Segment has run a public bug bounty program since late 2018, roughly 18 months after launching our private program.

Train your triagers

Hopefully over time, you will think of your outsourced triage team as an extension of your internal team. Spending the time to let them know how you want your program run will pay dividends in the future. Any submission they can validate without asking your team questions saves time for everyone involved.

Here are some examples of guidance we’ve given to the Bugcrowd triage team:

Identify duplicates for non-rewardable submissions

Many programs do not bother to mark informational, out of scope, or other non-rewardable submissions as duplicates. We do this for two reasons: 

The first is that if we decide to fix one of these issues later, we can go back and mark the original submission as resolved and pay the researcher. Any duplicates of this issue will still receive points. 

The second is that when there is a false positive identified by a tool commonly used by bug bounty hunters, you will get this submitted to your program a lot.

If we repeatedly see an out-of-scope or not reproducible submission, we can add a specific item in our bounty brief to warn researchers; it will be marked as out-of-scope or not reproducible without a working proof of concept.

Don’t be afraid to deduct points for undesired behavior

While we are generally laid-back and understanding program owners, we aren’t afraid to deduct points from a researcher’s score for when it’s warranted.

Many programs shy away from deducting points, but we want to ensure participants in our program thoroughly read our brief and think that it helps the larger bug bounty community to slightly penalize those that disregard clearly documented rules. 

Two of the common arguments against bug bounty programs is that the submissions are often low-value and that researchers don’t respect scope.

For example, we have a very small out-of-scope section, which includes: CORS or crossdomain.xml issues on api.segment.io without proof of concept.

This is identified by a tool commonly used by bug bounty participants is a finding we have received dozens of times, but never with any impact.

We do this to save time for both researchers and our triage team. If a researcher submits this finding without a proof of concept, we encourage Bugcrowd to mark this as out-of-scope. If a researcher submits a finding that showed impact, we would be more than happy to reward, fix, and update our brief.

Explain deviations in ratings

If you need to deviate from the baseline rating established in your bounty brief, take the time to explain to the researcher why the rating and reward are higher or lower than they might expect. 

Researchers are generally understanding, as long as your rating, reward, and explanation are fair and make sense. If you find yourself commonly deviating from the ratings, it may be time to make changes to your bounty brief so that researchers know what to expect in advance. If you make severity or scope changes as the result of a submission, reward the researcher at whichever rate is more favorable to them.

In addition to explaining why something was rated lower than the baseline, take the time to explain why something was rated higher than the baseline. This is a great way to encourage further testing in these areas and is a great way to build trust with a researcher.

These explanations also help your triage team learn more about your program, and allow them to more accurately triage future submissions.

Build and maintain good relationships with researchers

Take time to build relationships and trust with researchers, especially those that repeatedly submit to your program. Treat researchers fairly, with respect, and consider paying for anything that brings value to your organization.

You’re competing for a researcher’s time, especially the ones that are the most talented. They can likely work on almost any bug bounty program available; think about ways you can encourage them to work on yours.

Keep in mind that all researchers, even those that are unskilled, are human beings. Assume that they want to help you secure your organization, learn more about security and technology, and get paid.

Pay for anything that brings value

If there is one sentence you remember from this blog, I hope it is “pay for anything that brings value.” 

Bug bounty hunters put in a lot of time and effort that doesn’t result in getting paid. This could be time spent developing tooling, hunting without finding any bugs, or having a valid bug marked as a duplicate.

Try to avoid thinking about individual bug costs. Instead, think about the overall value the program brings to your organization in terms of bugs found, time saved, and peace of mind. If you’re debating between two severities, pick the higher one and pay the researcher at that rate. You can always change the severity in your internal ticketing system later.

Once you’ve received a rewardable submission, try to triage and pay quickly. Sometimes determining the full impact takes time; if this is the case, add a comment letting the researcher know you appreciate their work but need some extra time to determine the appropriate reward.

Work collaboratively with the researcher

As an employee of your company, you should know more about the codebase and infrastructure than a security researcher outside your organization (although occasionally I question this based on the creative and impactful submissions we receive 😅). 

Sometimes when running a bug bounty program, you’ll get a submission that makes you think, “What’s the next level the researcher could get to?” If this is a researcher you trust, it may be appropriate to give them some hints to help further their testing. If you give them hints, you can also issue some cautionary advice to help them continue in a way that is safe for your organization and customers. 

Giving the researcher hints helps show them you value their testing and saves your team from spending time on something that may not be possible. If the hint is helpful, the researcher will be submitting a higher-severity finding, which positively impacts their researcher score and earns a higher monetary reward. It also allows you to get the vulnerability fixed faster due to the higher severity.

Sometimes, it isn’t appropriate to include the researcher in this phase of the process. If our team continues the investigation, and it leads to the discovery of a higher-impact weakness in our systems, we reward the researcher as if their report contained the full impact. We also explain why we paid them at this higher rate, but let them know we are unable to share the details. This is a great way to show the researcher you value their work and build trust.

Share progress with the researcher

If a researcher submits a vulnerability that leads to a systemic fix for a vulnerability class, share this with them! Researchers are generally excited to hear that their work led to meaningful change within your organization. It also is a cue for them to attempt to bypass the new protections. 

Pay for Dupes

At Segment, we commonly pay researchers for well-written duplicates, and frequently reach out to let them know that we appreciated their submission. We also let them know that we don’t always pay for duplicates to make sure that expectations are set appropriately. 

This has worked out incredibly well for us. All of our most critical submissions have come from researchers that were originally rewarded for a well-written duplicate. Segment is a complex product that takes time to set up and fully understand. Researchers that put in the effort to fully set up a Segment workspace have additional context and understanding that take time to acquire—these people are hard to replace, and you want to keep them happy.

Pay bonuses for well-written reports

We also pay extra for well-written reports. Valid submissions need to get turned into Jira tickets which are assigned to engineering teams. Reports that are concise, easy to follow, have clear impact, and are well-formatted take less time for us to turn into tickets. We want to encourage researchers to save us time so we make sure to reward appropriately and let them know that we appreciate their efforts.

Final thoughts

Running a successful bug bounty program requires consistent effort from your team, but can bring tremendous value to your company and customers. Any vulnerability reported and fixed is one fewer vulnerability an attacker could use to get a foothold in your organization. Bug bounty submissions can help illuminate vulnerability trends, which can help prioritize where you spend resources to fix systemic issues in your applications or infrastructure.

Bug bounty programs are people-powered. Spend the time to make those involved in your program feel valued, help them understand the motivations behind your decisions, and be excellent to each other!

Top tips

Thanks for taking the time to read my post! I hope you learned a few things to help your company run a successful program. Here are some of my top tips to reference later:

• Pay for anything that brings value

• Pay extra for well-written reports, even if they’re dupes

• Avoid thinking about individual bug costs

• Reward quickly

• Partner with a bug bounty platform and pay for triage services

• If you make changes to your bounty brief as the result of a submission, reward the researcher at the more favorable rate

• Invest time into building and maintaining relationships with your researchers and triage team

• Don’t be afraid to deduct points for bad behavior

• Start small and partner early with Engineering

• Write a clear and concise bounty brief to set expectations with the researchers

Thank you! 💚💙

A special thanks to the Segment Engineering organization for fixing vulnerabilities and responding to alerts.

To Edis from Bugcrowd for helping us triage three years of vulnerabilities and truly being an extension of our team.

To all the researchers that have helped keep our customers safe by looking for vulnerabilities as part of our program.

And finally, to researchers danieloizo and sheddow, you have both submitted numerous well-written and high impact findings and are an absolute pleasure to work with.

There are a number of solid email service providers to choose from. How do you decide which is the best for your team, user base, and budget? This lesson will give you insight into the vendor landscape and walk through some key considerations when it comes to selecting an email tool.

News about email’s death has been greatly exaggerated. Yes, email is one of the oldest digital marketing channels (the first email blast was in 1978!), but the email service provider (ESP) landscape still has a lot of innovation to offer.

Maybe you’ve pulled together enough user emails for your list that personalizing your messages via Gmail isn’t cutting it anymore. Or, you’ve been in the email-slinging game for a while, and you're ready to upgrade your solution. Either way, congrats on hitting your email milestone; you've come to the right place to understand the next steps you should take.

How email has changed in the last decade

In the last 48 years, email marketing grew from a cheeky stunt in the ’70s to a bona fide fledgling industry in the ’90s to the massive ESP industry we know today. The last 10 years, in particular, have been eventful, and the major trends are important to take into account.

• Larger vendors have cemented their grip. Overall, the major consolidation moves happened a while ago; now, the big players like Oracle, Salesforce, and Adobe dominate.

• • Oracle bought Eloqua in 2012.

  • Salesforce bought ExactTarget in 2013.

  • Adobe bought Marketo in 2018.

• Email tools offer less specialization in exchange for broader appeal. Email service providers for small businesses, like Campaign Monitor, have added pricing options for larger businesses. At the same time, others that were highly specialized, like SendGrid that was focused on transactional auto-response emails, now have more mainstream features.

• Up-and-comers shaking up the market. Technology outside of the ESP realm threatens to change how the end consumer interacts with their email. For instance, HEY, a new email provider, is looking to filter out unwanted emails, while Front wants to corner the customer communication market.

Yes, email is still a big deal

As we mentioned above, there have long been bold predictions that email might die. Five years ago, John Brandon at Inc. predicted by 2020 it would be time to “stick a fork in your email.”

Of course, that hasn’t happened. But email still has a bad reputation as being a spammy, unhelpful marketing channel. While that can be the case in specific circumstances, it’s just not true in the aggregate.

Two shining examples of why email is a viable communication channel include:

• The rise of Substack, proving that people still read email if it’s valuable and relevant to them. In fact, the Washington Post says that “More than 100,000 people pay to subscribe to writers.” People still read email—and they enjoy it.

• According to HubSpot, throughout 2019, marketers saw an overall 78% increase in engagement. In general, people find email a helpful and necessary part of their daily routine.

Considerations for choosing an email service provider

1. Size of contact list

In this lesson, we'll share which ESPs are best suited for various contact list sizes—ranging from smaller ESPs for small and medium-sized businesses (like Mailchimp) to massive enterprise ESPs (like Salesforce). The size of the email contact list usually coincides with the number of features the ESP has. Tools that can handle large lists are usually very sophisticated with complex drip-nurture and trigger-based logic, while smaller tools may focus on user-friendliness.

2. B2B vs. B2C

Besides the size of the contact lists, the other big differentiator is the ESP’s target audience. B2B-focused ESPs tend to center on lead nurturing, while B2C-focused ESPs put an emphasis on events, sales, announcements, and more.

3. Cost and ease of use

Naturally, it's also prudent to look at the cost of the ESP, as well as how much time your team will need to invest in learning all the bells and whistles. As mentioned above, Mailchimp is known for user-friendliness but lacks deep trigger-based logic. Salesforce's Pardot, on the other hand, is much more technically advanced but requires some HTML knowledge to design the emails exactly how you want them.

4. Integration within your tech stack

Look for an ESP that plays nicely with the tools you already use. In particular, pay attention to how well it integrates with your customer relationship management platform (CRM). This is such an important factor that CRMs and ESPs are often blended together into one product, like HubSpot and Braze.

Top email service providers

Twilio SendGrid

Like Segment, SendGrid is a subsidiary of Twilio and is one of the most trusted platforms for transactional email and email marketing.

Two of the biggest benefits of SendGrid are deliverability and scale. Their deliverability features (domain authentication, proactive ISP outreach, etc) help businesses record an open rate improvement of over 6 percentage points. This can also be performed at significant scale. The SendGrid platform sends 70 billion emails every month with 99.999% uptime so you can rest assured your email will reach your recipients.

Top features:

• Purpose build Mail Transfer Agent that can scale to billions of emails

• Powerful email marketing automation via SendGrid Automations

• Artificial intelligence that continually adapts to changing ISP rules

• Multi-channel messaging (SMS, MMS, WhatsApp, and chat) via the Twilio platform

SendGrid is great for:

• Developers and marketers

• Promotional and transactional email

• High volume senders - reliable email delivery at scale

Braze

Braze (formerly Appboy) first established itself as a mobile-first CRM with powerful text and push-messaging features. With recent enhancements to its email marketing functionality and the addition of a visual journey builder, Braze has become a lifecycle engagement platform with an emphasis on highly personalized, targeted customer messaging across many channels.

Top features:

• Push and SMS notifications

• Visual customer journey builder called Braze Canvas

• Automated multi-channel messaging

• Strong customer support

Braze is great for:

• Marketers using push notifications and email

• Mid-market to enterprise businesses of any industry, but Braze is especially useful for push-centric B2C brands

• Contact lists of any size

Customer.io

Customer.io is a data-driven marketing platform for newsletter creation, transactional emails, SMS notifications, and customer profile-triggered messaging. Its focus is to provide a flexible and easy-to-implement solution for data-driven startups and SMBs.

Top features:

• Flexible customer behavioral data mapping

• Integration with Shopify's open-source Liquid logic

• Sophisticated activation and retention-oriented email campaigns from real-time triggers on customer behaviors

• Orients around the user and how they've interacted with sent messages

Customer.io is great for:

• Marketers looking to implement a seamless plug-and-play tool for customer messaging

• Ecommerce SMBs and startups

• Contact lists of any size

Drip

Drip is an email marketing automation platform well suited for B2B marketers. The visual campaign builder offers customizable triggers, actions, and integrations to create automated campaigns based on customer behavior.

Top features:

• Ease-of-use

• Workflow builder

• Can resend emails with a different subject line to users who didn't initially open

• Integration with Shopify, WooComerce, and Magento for a unified ecommerce experience

Drip is great for:

• Marketers looking for advanced marketing automation with a lean team

• SMBs and startups of any industry, but particularly those focused on ecommerce

• Relatively small contact lists to mid-sized lists

HubSpot

More than just an email service provider, Hubspot is a full-blown CRM that also helps manage social media, lead generation, and content. As the original and self-proclaimed "Inbound Marketing Platform," HubSpot helps marketers both create demand through content and nurture leads through email campaigns. HubSpot is known for being easy to use and navigate and, as such, is appropriate for large and small businesses alike. However, the pricing model is dependent on the total number of contacts in your database, so it becomes cost-prohibitive for very large-scale businesses.

Top features:

• Many built-in API integrations

• Visibility across additional touchpoints on social media platforms

• Lead-generation identification capabilities

• Integration with inbound marketing and demand-generation processes

HubSpot is great for:

• Marketers looking for a full suite of marketing automation solutions and tools for inbound marketing

• B2B and B2C companies of any size, but HubSpot can become cost-prohibitive for large B2C lists

• Contact lists of more than 25K

Iterable

Iterable is a multi-channel customer engagement and marketing automation platform. It focuses on offering less-technically savvy marketers access to intuitive yet powerful drag-and-drop automation flows, dynamic personalization, and segmentation features that would typically require more in-depth engineering support and resources.

Top features:

• Ease of use

• Multivariate testing

• Omnichannel campaigns

• Deep personalization capabilities

Iterable is great for:

• Marketers looking to unlock multi-channel marketing automation with minimal engineering support

• Mid-sized B2C companies, though B2B companies might find use for Iterable

• Contact lists of more than 100K

Mailchimp

Mailchimp is a fan favorite for many startups with small marketing teams. Not only is it quick to get up and running, but the templates are intuitive and straightforward to navigate, too. Though it still lacks some features, such as allowing the creation of automated A/B split tests into subject lines, it has recently added new functionality along with its rebrand.

Top features:

• Quick to set up

• Easy to use

• Built-in design templates

• Doesn't require a developer or designer

Mailchimp is great for:

• Marketing teams looking to deploy an easy-to-use email marketing tool

• Small to mid-sized businesses of any industry

• Contact lists of more than 100+

Marketo

Often thought of as the 10,000-pound gorilla in the email marketing automation space, Marketo became an early market leader for multi-campaign email management. However, more functionality means a higher price tag and sophisticated users to operate it. Marketo is great for mid-market to enterprise-level B2B customers already on the Adobe suite. It might not be appropriate for very small businesses due to the cost or the advanced skill level and training required to operate it. That said, we are a fan—Marketo is what we use here internally at Segment.

Top features:

• Deep Salesforce integration for advanced lead scoring

• Easy-to-use user interface and templates

• High level of functionality and integrations

• Tried-and-true name brand

• Ability to manage sensitive lists requiring privacy in the financial or healthcare spaces

Marketo is great for:

• Marketing teams looking to automate email marketing and integrate with CRMs

• B2B companies of any size but must be spending at least $3-$5M per year in marketing

• Contact lists of more than 100K

Salesforce Marketing Cloud

Salesforce Marketing Cloud is a powerful CRM and marketing automation platform with ESP capabilities designed with the enterprise in mind. The ESP portions were created with the acquisitions of ExactTarget (for B2C) and Pardot (for B2B). It’s a big investment that will require some work to get set up, but once Salesforce is up and running to your specifications, it can be very powerful.

Top features:

• Very comprehensive

• Automation and routing

• Great for companies that can deploy developers for deep customization

Salesforce Marketing Cloud is great for:

• Marketers looking to use one of the most comprehensive email suites available

• Large B2B and B2C enterprise businesses

• Large contact lists of more than 100K

A few more to consider

• SendGrid for communication automation within the ever-expanding Twilio ecosystem

• User.com for heavy personalization capabilities

• Oracle Eloqua for integration with dynamic cross-channel campaigns

• Klaviyo for companies that use point-of-sale data to inform email marketing

Choosing an email service provider

These days, the ESP industry is fairly mature, and, as such, each vendor will cover the basics and has a solid roster of customers that you can learn from. While certain tools are much better suited for certain sized businesses and industries, each tool will be able to accomplish the basics of engaging with your user base at scale in personalized ways. This is especially true if you've set up your analytics with a tool like Segment.

For more information on the email service providers that Segment offers, check out our catalog of integrations here.