HackerOne: Offer white hats a safe harbour
By Dzof Azmi May 14, 2019
- Vulnerability disclosure policies and bug bounties are ways to ensure good faith
- Companies can even offer rewards in cash or kind if a security vulnerability is found
"IT HAS been shown that one in four vulnerabilities go unreported because researchers don't know if legal action will be taken against them," said Adam Tea (pic, above), HackerOne Bug Bounty advisor. Meanwhile, 93% of the Forbes 2000 don't have an easy way for anyone to report potential security issues.
What would help is the creation of "safe harbours" says Tea, where companies make it a policy to be open to feedback from the public who discover security vulnerabilities, and assure them no legal action will be pursued.
These sorts of policy would be part of an overarching Vulnerability Disclosure Policy (VDP), which companies use to communicate an intent of good faith to resolve security vulnerabilities. It outlines the scope and process of what and how discovered vulnerabilities will be handled. The company can even offer rewards in cash or kind (or, as Tea puts it, "swag").
But instead of waiting for white hat hackers to come forward, why not invite them directly to try at cracking your systems?
Tea is talking about the work done by HackerOne, a company that helps companies implement "hacker-powered security", by developing bug bounty solutions and working with 175,000 ethical hackers around the world. (A "bug bounty" is when rewards are offered to people who successfully identify vulnerabilities in a system.)
Among their clients, HackerOne can count the US Deparatment of Defense (DoD) with whom they have worked with since 2016 on programmes such as "Hack the Pentagon" and "Hack the Army", the European Commission in the EU-Free and Open Source Software Auditing (EU-FOSSA) project, as well as the the United Kingdom's National Cyber Security Centre.
More recently HackerOne earlier this year worked with the Singapore Ministry of Defence (Mindef) and the Cyber Security Agency of Singapore (CSA) to organise a Government Bug Bounty Programme (GBBP).
"Singapore is constantly exposed to the increasing risk of cyber-attacks, and Mindef is an attractive target for malicious cyber activity," said a statement issued by Mindef. "The programme was a response to this rapidly-evolving cyber-threat landscape."
The statement also noted that the programme ran for just over two weeks, attracting 264 white hats from around the world, and had managed to identify 97 instances of vulnerabilities, resulting in US$14,750 being paid out as bounties.
Tea argued that this kind of security testing can be seen as cost-effective. "Researchers are only paid for results for finding a security vulnerability, as opposed to being paid for their the amount of time spent working," explained Tea. "I would say paying for results is more effective."
Continuous bug bounties
HackerOne believes that the concept of hacker-powered security can also apply throughout the software development lifecycle, resulting in a continuous bug bounty programme. "Researchers will always have eyes on the product from the moment it's being built all the way through to when it's already in production," said Q Tan (pic, above), HackerOne Enterprise Development.
"Working alongside them to resolve (vulnerabilities) is a much better way to sort of mitigate the risk and also display openness and collaboration," continued Tan. "I think that's the trend that we are seeing as well across various industries.
"It's almost like having a tennis coach right beside you telling you exactly what needs to be done," said Tan, explaining what the value that HackerOne brings with the methodology of identifying bugs and vulnerabilities in real time on actual systems.”
"Because the feedback is so immediate from the continuous security testing, the vulnerabilities are they are routed back straight to the engineers," said Tea.
Such a methodology has the additional benefit of identifying systemic issues in the development process, indicated when a similar problem arises over and over again. "Once the security culture starts to improve there'll be less and less of these vulnerabilities being coded into the product."