Hacked enough: why your business needs a bug bounty program

The data loss rates across industries put pressure on companies to rethink their security measures: the current methods appear to be simply untenable. Data protection demands being proactive and getting ahead of the curve. Having worked as a product manager for the European bug bounty platform during the last year, I decided to share my opinion on crowdsourced cybersecurity and its vital importance to the modern-day business. The ongoing reports on major data breaches reflect the harsh reality of cybersecurity and its current state. Obviously, the cat-and-mouse game is on: hackers are motivated enough with sophisticated tactics at their disposal helping them to stay one step ahead of their beleaguered targets. One thing is clear: the control methods that have been applied for decades no longer work. While the businesses increase their planned spending on IT security, hackers are actually hitting the bottom line.

issued a comprehensive report on attack vectors and threat landscape changes of 2018. Provided the survey maintains comparative consistency from year to year, this year’s results it showcases are less than satisfying. The data breaches rates appear to be at an all-time high: over 67% of global companies have been breached in the past, and 36% of respondents suffered a breach within the last twelve-month period (10% up from 2017). While 64% of respondents consider AI to be a proactive solution for the attacks, 43% point at AI-based hacking tools as the root of the breach rate increase.  The major conundrum is that businesses tend to invest in IT security areas that, ironically, are deemed least effective in data protection, while investing less is seen as the most effective measure. The security spending paradox indicates that business should look at the problem from a different perspective — a proactive one.

Hacked website: consequences for business

In the realm of information-based business, a data breach is a major challenge that disrupts the daily function of the company. After the sensible data becomes a matter of the hackers, the business gets engaged in a tough process of problem identification and recovery. As per research, 94% of organizations who suffered a data breach never recover, 51% of these organizations dissolve their business within the next two years. A hacked website affects business on many levels. We have seen many cases when cybercriminals targeted personal data, being interested in copying or modifying the information. Whether it is financial records, trade secrets, credit card details, or customer’s personal data — the information is sure to be sold to competitors or ransomed back. Some hackers simply like acting maliciously, so they might delete data from the website pertaining to orders, invoices or emails. Gaining access to the website administrative units or server and destroying data afterward will halt the work for months. As long as customers’ trust is one of the crucial business assets, a cyber attack causes huge reputational damage. Eroding trust, in its turn, inevitably leads to loss of customers, sales and results in profit reduction. Moreover, the affected clients can take legal actions which can undermine brand image once and for all.

Bug bounty program: unveiling the concept

The bug bounty program is literally embracing the proactive stance rather than being reactive. In its essence, a bug bounty program gives a chance to a company to use the talent of brainy hackers in order to look for vulnerabilities and hidden problems in the software products. The lifecycle of a bug bounty programs starts with the researched company creating a brief, describing the rules of engagement. After a brief is created and researchers are accustomed to it, a program goes ‘live’ on bug bounty platform: white hat hackers are attracted to take part in a program. Once the program has started, the white hat hackers test the software up, down and sideways to find the bugs. All the vulnerabilities and bugs are registered in the report which is further on verified by in-house cybersecurity specialists aka ‘Triage Team’. Consequently, the security team of the researched company receives a report with detailed instruction on how to fix the vulnerabilities in question. And after a fix takes place and is verified by the researcher who found that bug, the company rewards the researcher with the sum of money negotiated earlier.

Is my business ready for bug bounty?

Though business and hacking may seem like a very odd couple, each and every company with a digital asset must have a vulnerability intake activity. Having a holistic vulnerability report gives a clear idea of the decision-making path and helps the business of any scope make the maximum use of white hat hackers skills. Other than waiting for a breach to take place and putting business assets and clients at risk, a bug bounty program offers to actually work with hackers and to benefit from this collaboration.

Speaking of particular benefits, the economic factor should be mentioned in the first place. Cybersec audits executed by the individual experts are quite expensive, whereas a bug bounty program is a cost-effective method. Provided bug bounty program is 24/7 non-stop testing, a company gets the exceptional coverage on vulnerabilities. In addition, working with ethical hackers makes it possible to assess the security measures in place, and identify which of them are inefficient or require an update. In order to see if the company is ready for the bug bounty program, it has an option to go through an initial assessment via questionnaire.

Bug bounty is here to stay

Bug bounty programs are gaining momentum as one of the most prominent preventive tools in the context of a data breach. Before leveraging an army of hackers for the business one should consider a number of aspects. First and foremost, it is essential to define the reason for implementing a bug bounty program and to know how this will end. Secondly, working with a trusted and credible partner is a guarantee that the research will be executed thoughtfully and responsibly. As a necessary part of the business security program, bug bounty is here to change the hacking talent polarity. While black hat hackers embrace cutting-edge technologies for their illicit activities, the whites help the companies be two steps ahead by taking the genius to the bright side.