For most ethical hackers, including myself, hacking doesn’t feel like work. We’re a community of puzzle-solvers – curious, and eager to share the vulnerabilities we uncover that can have repercussions for your company and your customers.
Many major enterprises – including, Google, Facebook and automaker GM – understand the value of the hacker community and already employ bug bounty programs, which offer payment ranging from small amounts of cash or a t-shirt to potential payouts in the thousands to hackers who discover vulnerabilities. Google recently expanded its program to include techniques that target its abuse and spam programs. This past spring on the heels of the Cambridge Analytica scandal, Facebook launched a data abuse bounty to reward reports of misuse of data by app developers.
By embracing the diverse community of hackers and tapping into their passion, you can significantly reduce your company’s risk profile, too. With that in mind, following are some tips, insights and best practices for engaging with the hacker community:
Why Community Matters. A lot of folks think of hackers as sitting in the basement, hunched over a computer, trying to sell stuff on the black market. That’s not the hacker community. There is a diverse group of hackers globally, all of whom focus on different types of vulnerabilities – from website weaknesses to network and infrastructure security. That diversity can work to your benefit. The varied skill set will impact the types of bugs you’ll find. A good bounty program will ask what data you are trying to protect. Having a wide scope helps secure that data.
Engaging Effectively: Respect. You can set up an effective hacker-engagement program if you understand that hackers want to be treated with respect and dignity, and that they want to be paid for their time – or at least acknowledged for their contribution. Acknowledgment can be as simple as a thank you or a piece of swag with your company logo on it. But if an alert hacker spares you significant harm, pay that person commensurate with impact of the discovery.
Don’t ignore someone who reports a vulnerability or respond with a lawyer – that’s a sure path to never having vulnerabilities reported to your company.
Engaging Effectively: Communication. Perhaps more than anything, hackers want a clear line of communication and an easy-to-find point of contact within your organization at any time of day or night – whether it’s a CISO, developers or an in-house IT security person. As hackers, when we find a vulnerability, we search across the Internet to see which organizations might be affected. I once woke someone up at 3 a.m. to report a vulnerability that could have been a company shutdown event. Yet the majority of Fortune 500 companies don’t have a clear way for someone to report a vulnerability – leaving hackers to scour LinkedIn for likely contacts or guessing via email addresses like email@example.com or firstname.lastname@example.org.
Communicate after the fact as well. After you’ve patched a reported vulnerability re-test to verify it has been fixed, and engage with the hacker again to make sure they test it as well to make sure they can’t get around any of the current fixes you put in place.
Finally, if you’ve never engaged with the community or are unsure of how to get started, try to leverage a bug bounty platform as much as possible – one with a good reputation among security researchers such as HackerOne, BugCrowd or Sinack.
Technology is moving faster than our ability to secure it. Tapping the collective wisdom of the hacker community is an important tool in any security arsenal.
This article was originally published in Security Magazine.