Why we reinforced vulnerability management with a bug bounty program
Information security today is all about keeping one step ahead of those who would do you dirty.
That means staying informed of your online weaknesses and addressing security vulnerabilities long before someone else stumbles upon them.
Of course, actually tracking down weak points within your digital defenses is easier said than done. Doing so requires dedicating time and effort to prodding systems for problems, even without any clear assurance that there’s even something to find.
But then again, with over 90% of websites remaining vulnerable to attack at any given time, odds are there’s always something that gets overlooked.
“If you think you know-it-all about cybersecurity, this discipline was probably ill-explained to you.” - Stéphane Nappo Global Head Information Security for Société Générale
It’s an endless struggle, but in recent years, more than 700 companies have found a simple yet inspired solution to address the issue. If there's so much concern around hackers infiltrating your systems and compromising data privacy, why not try inviting them to take stab at it?
Proxyclick has happily stepped up to adopt this solution for ourselves: incentivizing bug bounty hunters to beat bad guys to the punch.
From penetration tests to bug bounty programs
The dynamic activities of companies online mean there’s always going to be fresh avenues for hackers to try and exploit.
Since new company webpages and updated online systems come out every day, so do new opportunities for overlooked weaknesses. In the past, most companies would address this issue by scheduling regular third-party penetration tests, often on a yearly basis.
However, this method is relatively lacking when compared to bug bounty programs for a variety of reasons—and with the cost of data breaches increasing all the time—no longer cuts it for most organizations. And according to this report from IBM Security, the average cost of a data breach was $3.86 million in 2020.
A solid penetration test will do a few things for the purchasing organization:
- Identify their potential breach sites
- Simulate both automated and manually performed cyber attacks
- Demonstrate hacker’s available means of access to their company systems and private data
These are invaluable insights, as good testing will result in a thorough snapshot of a company’s current digital defense status.
But there are some downsides to penetration testing that we should mention.
They're infrequent. Because different vulnerabilities are always emerging, the infrequent nature of scheduled penetration tests leaves a lot of room for gaps in security awareness.
They're expensive. Penetration testing is priced anywhere between $4,000 to $100,000 depending on a company’s size, with high-grade tests averaging around $20,000.
They don't provide a wide range of expert insights. Third-party penetration tests are also typically performed by a limited number of experts (usually 1-2 testers and a manager for QA), which doesn't allow for many different, unique perspectives around the same issues.
This is all to say that while penetration tests certainly have their value, relying on such a static analysis method by itself will result in either excessive costs or a temporary form of blindness that leaves companies falling behind the curve over time.
At Proxyclick, we re-shifted the focus of our yearly static penetration tests to parts of our applications and infrastructure that are less practical for crowdsourcing through a bug bounty program.
Bug bounty programs
By comparison, issuing bug bounties is more effective than traditional penetration testing by leaps and bounds.
They work by applying a crowdsourcing mentality, with companies inviting bug bounty hunters to locate their digital vulnerabilities and compensating them upon discovery.
This way, bug bounty programs naturally encourage ongoing security research that tests for vulnerabilities year-round, compared to providing a single snapshot of a given moment in time.
Suddenly, new system releases and the potential weaknesses that come with them become an attractive opportunity for ethical hackers to help companies while profiting for themselves—cultivating an alluring win-win arrangement.
"The impact is significant if you think about it. Every patch that is coming out, especially when it comes to enterprise software and operating systems, is being fed by bug bounty programs. The community is coming together to make sure vendors are actually releasing patches for bugs…” – Brian Gornec, Sr. Director of Vulnerability Research at Trend Micro
This pay-only-for-results model also makes the act of keeping systems secure much more affordable on the company’s end. Rather than regularly spending large sums of money to check for vulnerabilities, organizations just pay for the actionable discoveries that further their security measures.
Meanwhile, bug bounty hunter earnings vary depending on the companies they assist and the severity of the bugs they report.
Looking at 2020, payouts averaged at $979 per accurate bug report, with the most critical vulnerabilities costing companies around $3,650.
But even then, it’s worth noting such high-cost discoveries are infrequent, with only 8% of bug reports constituting ‘critical severity’.
How Proxyclick benefits from a bug bounty program
As of January 2021, Proxyclick joined the growing list of top-of-the-line companies (including Facebook, Intel Dropbox, Yahoo, and Quora) that enlist the aid of bug bounty hunters to keep ahead of would-be hackers.
This is pretty huge for us, and even more so for our customers, as we can now assure our products remain consistently stress-tested and secure.
And in just 3 months, we’ve already experienced a tremendous amount of invaluable insights and information to make our products more secure.
Let me walk you through how it all unfolded here at Proxyclick.
1. Partnering with Intigriti
Initiating a bug bounty program is a cinch for us (as it can be for anyone else) thanks to our partnership with the Intigriti platform.
Intigriti manages a massive community of handpicked ethical hackers to take the reins on the full bug bounty hunting process.
From setting up a program for our company to sourcing researchers, to validating the quality of bug reports and distributing rewards for authenticated discoveries, they handle every end of the testing process.
2. Picking the hackers
Intigriti helps us pick some very savvy white-hat hackers and invited them to our program to start contributing.
It didn’t take too long – only a week or so – before we were confronted with submissions tackling very real vulnerabilities that we were completely unaware of based on our previous static penetration tests.
3. Getting access to reports
The reports we received were very clear and concise, and enabled our developers to immediately tackle the problem to fill the gaps.
Whenever we stumbled upon a finding that we weren’t immediately convinced by (or believed that the perceived impact wasn’t as harmful as described), we were able to propose changes to severity (e.g. the label defining the amount of bounty to be paid) with ease.
The hackers we worked with remained understanding and helpful at all times, much different than what you'd expect from those crooks in black hoodies you always hear about.
4. Becoming brand ambassadors
Intigriti expertly guided us in becoming ambassadors of our own bug bounty platform. They engaged with the researchers, and rewarded them for the solid research they’d done.
We're happy to share that we've managed to entice a few hackers to continue to test our product over the past 4 months. As their knowledge of our applications continues to grow, our findings are becoming more complex over time.
5. Continuing to fix vulnerabilities
At Proxyclick, our security team is taking our findings very seriously, and quickly working to resolve any vulnerabilities through our bi-weekly release cycles.
We’ve taken an average of only 30 days to fix vulnerabilities, compared to the platform’s average of about 80 days.
Pro tip: It's worth mentioning that Intigriti creates quarterly, customer-friendly reports that summarize findings across a period of 4 months.
These reports are huge assets to customers asking about penetration test reports as part of their regulatory compliance processes. So, this program ultimately enables us to show our customers how seriously we take security across the organization.
Summing it all up
To recap, implementing a bug bounty system helps organizations employ cybersecurity safeguards that keep malicious hackers away by:
- Advancing beyond penetration testing for a less expensive and always active system of crowdsourced security surveillance
- Encouraging ethical hackers to locate and report points of vulnerability that others could exploit
- Partnering with professional bug bounty platforms that manage every end of their relationship with bug bounty hunters
- Using your community of ethical hackers' findings to make your applications more secure, step-by-step
For more on key company cybersecurity methods, check out these informative links:
- 7 big questions answered of 3rd party penetration testing
- What is the DKIM check and why is it important to your business?
- What does it mean to be an ISO 27001-certified business?
- What is the OWASP Top 10 and why does it matter?
Want to learn more about how Proxyclick handles security? Visit our security page, or contact our team directly.