HackerOne is the platform behind many bug bounty programs.

Edward Gately, Senior News Editor

March 17, 2018

9 Min Read
Cybersecurity

On the front line of the cybersecurity war stands an army of hackers who are using their skills for good instead of evil.

These hackers are part of bug bounty programs, in which companies like Bitdefender, Barracuda Networks and Kaspersky Lab offer rewards for finding and reporting software bugs so they can be fixed before cybercriminals exploit them.

HackerOne is the platform behind many of these programs. HackerOne customers have resolved more than 64,000 vulnerabilities and have been awarded more than $25 million in bug bounties.

Bacchus-Adam_HackerOne.jpg

HackerOne’s Adam Bacchus

To get the lowdown on bug bounty programs, we spoke with Adam Bacchus, HackerOne’s director of program operations. He runs HackerOne’s internet bug-bounty program, disclosure assistance and other efforts to help organizations start and run successful bug-bounty programs, help hackers succeed, and generally drive the creation of bounties.

“Bounty hunters are definitely the leaders in the space,” he said. “When you have a bug bounty program, you have a veritable army. It’s almost like a neighborhood watch where you have hundreds or thousands, or hundreds of thousands of hackers who are all watching out for you and they’ve all got your back. And they are very much on the front line in the way that they’re constantly watching out and looking for vulnerabilities, and giving you a friendly head’s up if they find something.”

Bug bounty programs basically are vulnerability disclosure programs with an added financial incentive, Bacchus said.

“A disclosure program is saying, ‘Hey, if you’re a hacker out there, a friendly hacker, and you found a bug in one of our systems, this is how you can contact us and tell us about it, and we have an agreement with you, we’re not going to try to sue you or throw you in jail,'” he said. “Here [are] the rules of engagement, here’s what you can hack on, here’s what you can’t hack on, and please don’t go after other users’ data. In a bug bounty program, we’re also saying, “Hey, depending on the severity of the bug, if you find a huge bone-crushing issue, we’re willing to pay out a certain amount of money depending on the severity of the bug. They’ll reward you for taking the time to do that research and letting us know about that issue.”

When a company launches a bug bounty program, lots of bugs are found because “you’re leveraging the power of hundreds if not thousands of eyeballs looking at your property,” Bacchus said.

“What we’ve seen on all of our programs that we run is after the initial spike, things will tamper down a little bit once the low-hanging fruit has been caught,” he said. “So what most programs will do is, over time they’ll actually increase the bounty amounts so as bugs are harder to find, you essentially have to pay more to get that return on investment from hackers. And you eventually move or shift from improving the security to what we call proving security in that lots and lots of hackers are going after you and trying to find bugs. If the well is starting to dry up, that’s a good sign …

… your security’s improved as a result of your program.”

As part of its Global Transparency Initiative, Kaspersky Lab recently extended its successful bug bounty program to include rewards of as much as $100,000 for the discovery and coordinated disclosure of severe vulnerabilities in some of its leading products.

Anton Shingarev, head of the CEO office at Kaspersky Lab, tells us the program launched in 2016 and already has led to more than 70 bug reports related to Kaspersky products and services being resolved, “thus improving the resiliency of our products.”

Shingarev-Anton_Kaspersky-Lab.jpg

Kaspersky Labs’ Anton Shingarev

“In today’s complex threat landscape, bug bounty programs are one of the tools that help security companies strengthen their products and compliment their own vulnerability detection and mitigation work,” he said. “These programs also incentivize external researchers to safely and responsibly find and disclose software vulnerabilities.”

Bogdan Botezatu, Bitdefender’s senior e-threat analyst, tells us his company’s bug bounty program has helped identify potential blind spots across its technology stack.

“We are fortunate to have a red team always available to uncover what is happening in the cyberthreat landscape,” he said. “We strongly believe that an extra set of eyes can reveal things that may have been overlooked in our initial tests. The desire for a ‘second opinion’ arises from the responsibility that we have to our customers and partners. We want to engage with people outside of Bitdefender who bring different perspectives and skill sets to the security table.”

Bitdefender tends to treat any bug – regardless of severity – as a vulnerability with serious consequences, Botezatu said.

Botezatu-Bogdan_Bitdefender.jpg

Bitdefender’s Bogdan Botezatu

“Distributed denial-of-service (DDoS) attacks, vulnerability probes and mass scans are part of the normal daily routine for a security company and the fewer and the smaller the holes, the less leverage cybercriminals have,” he said. “There is plenty of feedback from bug hunters. After submitting bugs with proof of concept, we stay in touch with them for the duration of validation through the implementation of the fix. They are generally happy with the fact that we encourage them to take their best shot and reward them with money. Carrots are always better than sticks.”

Hacker activity in the programs varies widely, Bacchus said.

“We’ll see some hackers that get really invested in one or two programs and they really just focus on those areas and go very, very deep, and get an intimate knowledge of that organization, and their applications and how they work,” he said. “And we’ll see other hackers that kind of go wide and a little more shallow, so they basically go across many, many programs and see what they can find. There are hackers that are really good at finding certain vulnerabilities, and so they’ll look for that type of vulnerability across multiple programs. And sometimes you’ll have a hacker who’s good at finding just about everything, and they’ll go deep in one program and find all the various bugs for that one organization.”

More and more companies and organizations are realizing that …

… working with hackers to fight cybercrime is a good thing, Bacchus said.

“If you don’t have a way of receiving bugs, it can almost be seen as a negative, that you’re not willing to accept bugs from the community,” he said. “All sorts of organizations are pursuing this as a way to improve security.”

Small Businesses Spending Too Much on Cybersecurity

A joint analysis of IT security spending by cybersecurity firm Akouto and Alpha Logics shows businesses that failed to adequately invest in cybersecurity end up spending on average 58 percent more compared to similar companies with adequate security measures in place. That number quickly skyrocketed when factoring in knock-on costs such as lost wages and revenue as a result of unplanned downtime, according to the companies.

The study analyzed spending patterns of existing clients to examine cybersecurity expenditures for SMBs that underinvest compared to their peers.

Breaches involving credit-card numbers can be among the costliest, with businesses forced to pay significant amounts for forensic examinations, credit monitoring services, customer notification services and legal fees among other costs, according to the analysis.

Dominic Chorafakis, Akouto’s founder, tells us key findings in the study highlight the opportunity for channel partners to help customers protect their business and save money.

“The first is that the longer it takes to detect a breach, the more costly it is for a business to recover,” he said. “That’s because more systems are typically affected, translating into higher costs to repair and restore IT infrastructure. The knock-on costs are also much higher as a result of the longer downtime and lost productivity while systems are being restored. These results suggest that channel partners can assist their customers by helping them develop a balanced cybersecurity strategy that addresses both the prevention and detection of breaches and cyberthreats in general.”

Opaq Networks Beefs Up Security-as-a-Service Cloud

Opaq Networks has added microsegmentation for endpoints to its cloud security-as-a-service platform for the channel, aimed at preventing lateral attacks, containing breaches and quarantining infected hosts. Opaq PathProtect technology provides visibility and control over network activity, and the ability to locally enforce security policies on devices from the cloud.

“Companies are struggling to implement and manage a microsegmentation strategy that adheres to zero-trust security principles,” said Tom Cross, Opaq’s CTO. “This is particularly true for midsize enterprises that lack the expertise and resources to defend against lateralization attacks. Opaq PathProtect provides a powerful, simple and flexible tool that enables our channel partners to implement software-defined network segmentation-as-a-service from the cloud.”

PathProtect allows organizations to implement …

… network segmentation from the Opaq Cloud without using VLANs or firewalls. It provides device-based visibility and control from the cloud to protect against insider and external attacks. It is integrated with other enterprise-grade security capabilities, including next-generation firewall, web application firewall and DDoS mitigation, accessible as a service from the Opaq Cloud.

Fortanix Powers Equinix HSM Offering

Equinix has selected Fortanix Self-Defending Key Management Service (SDKMS) to power its SmartKey hardware security module (HSM) as a service, aimed at securing data across enterprise and cloud environments. As a result of this collaboration, the Fortanix offering is available via SmartKey as a global SaaS-based key management and HSM service hosted on Equinix’s global interconnection and data center platform.

All core functions including access control, authentication, key generation and cryptographic operations, are performed in a protected environment, Equinix said.

Organizations can use SmartKey to secure databases, digital payments, PKI systems and Internet of Things (IoT) applications.

“With presence in 48 global markets, Equinix is uniquely positioned to provide localized, cloud-neutral encryption key management, separate from and in close proximity to the industry’s leading cloud services,” said Lance Weaver, Equinix’s vice president of product strategy and emerging services. “By collaborating with a leading technology partner, Fortanix, Equinix is providing our customers with a solution that meets the demands of today’s changing data landscape.”

Read more about:

Agents

About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like