HackerOne Bug Bounty Advisor Rena Chua shares the top four reasons why management needs to consider hacker-powered security.
By Rena Chua
You know some hackers. They’re smart, driven, creative people. Maybe you used to hack yourself before landing your current gig. The bottom line is, you know that bug bounties and other hacker-powered security approaches are a smart investment for anyone looking to build up a security infrastructure. But your higher-ups still need some convincing.
To help cyber security professionals to make the case, we’ve put together the following four reasons why your management needs to look at hacker-powered security programs.
Consistent, effective protection
Hacker-powered security puts a global ethical hacker community on watch, 24/7, for any vulnerabilities your developers or third party devs whose code you use, may have missed.
And let’s be clear (because the head of engineering may push back) – it’s not sloppiness. Your devs are amazing; they are humans who are asked to add features at an accelerating pace. Bugs happen. Let ethical hackers find them before the criminals do.
Pay for results
Traditional security solutions make you pay up front — usually a lot — and you pay the same amount regardless of how many bugs they find, or how critical the bugs are.
With hacker-powered security, organisations pay only for found and validated vulnerabilities, and hackers bring nearly unlimited diversity of skills, approaches, experience, and desired compensation. In other words, organisations get an army of researchers eager to uncover and report bugs of all types and severities.
Several of our customers have switched from traditional penetration testing to time-bound bug bounty challenges, in which friendly hackers test designated systems and applications for vulnerabilities over a set period of time. One of the common pieces of feedback we get from customers is that they are getting much better results with bug bounties than traditional pen-testing and at a more cost effective price.
A recent report by Forrester Consulting suggests that a company switching to hacker-powered security programs for pen-testing stands to save nearly USD 300,000 in net present value over three years.
Scale up or down
Everyone from enterprise businesses to startups can benefit from hacker-powered security. Increasingly, enterprise companies are insisting startups put proactive security in place before they do business with them (aka the security questionnaire).
Counting on a community of 550,000+ ethical hackers has many advantages. Scalability might be one of the biggest. Want to dip your toe in the water? Then start first with a responsible disclosure policy, or a VDP. If your budget is tight, or if you want to evaluate the number and type of reports you’ll get, this is a perfect way to start. With a responsible disclosure policy or VDP, you don’t pay hackers for their reports, so you tend to receive fewer. If your team needs more than that, then you might want to consider using third-party tool like HackerOne Response to coordinate, manage and triage all incoming vulnerability reports.
As your entire team starts to appreciate the quality and value coming from hackers, and gets used to incorporating the reports into your workflow, it’s easy to switch to a private bounty program. Some 80% of all HackerOne Bounty programs are private. In this type of program, you determine how many hackers to invite and the skills they need to have. This puts you in command of the program cost and the report volume.
Bug bounty programs are infinitely customisable
It’s easy to calibrate a private bounty program to make sure the number of reports you receive is manageable, both in terms of your team’s time and your budget. Soon, you’ll have a good feel for how changing the program scope, the bounty amounts, and the number of invited hackers changes the report volume.
Soon enough, you may decide, as Priceline recently did, that the time is right to launch a public Bounty program.
At HackerOne, we continuously add new integrations and solutions to meet companies’ needs. There are bi-direction integrations with popular dev tooling like GitHub, Jira, and more, and our well-documented API lets you do just about anything you can imagine.
For organisations that need precise control, there are also processes in place that ensures that only proven, verified, and background-checked finders participate in your program, and lock down all connections and provides complete visibility to all program activities.
Of course, service teams can also help with program set-up and operations. For example, many of HackerOne’s customers do choose to offload report triage to our team. Here, we handle all the communication with hackers to collect the necessary information to ensure each report is valid and actionable. This frees your staff to focus on prioritising reports and remediation.