How to Work with Hackers to Make Your Company More Secure

October 4, 2018

For most ethical hackers, including myself, hacking doesn’t feel like work. We’re a community of puzzle-solvers – curious and eager to share the vulnerabilities we uncover that can have repercussions for your company and your customers.

Many major enterprises – including, Google, Facebook and automaker GM – understand the value of the hacker community and already employ bug bounty programs, which offer payment ranging from small amounts of cash or a t-shirt to potential payouts in the thousands to hackers who discover vulnerabilities. Google recently expanded its program to include techniques that target its abuse and spam programs. This past spring on the heels of the Cambridge Analytica scandal, Facebook launched a data abuse bounty to reward reports of misuse of data by app developers.

By embracing the diverse community of hackers and tapping into their passion, you can significantly reduce your company’s risk profile too. With that in mind, following are some tips, insights and best practices for engaging with the hacker community:

Why Community Matters

A lot of folks think of hackers as sitting in the basement, hunched over a computer, trying to sell stuff on the black market. That’s not the hacker community. There is a diverse group of hackers globally, all of whom focus on different types of vulnerabilities – from website weaknesses to network and infrastructure security. That diversity can work to your benefit. The varied skill set will impact the types of bugs you’ll find. A good bounty program will ask what data you are trying to protect. Having a wide scope helps secure that data.

Engaging Effectively: Respect

You can set up an effective hacker-engagement program if you understand that hackers want to be treated with respect and dignity, and that they want to be paid for their time – or at least acknowledged for their contribution. Acknowledgment can be as simple as a thank you or a piece of swag with your company logo on it. But if an alert hacker spares you significant harm, pay that person commensurate with impact of the discovery.

Don’t ignore someone who reports a vulnerability or respond with a lawyer – that’s a sure path to never having vulnerabilities reported to your company.

Engaging Effectively: Communication

Perhaps more than anything, hackers want a clear line of communication and an easy-to-find point of contact within your organization at any time of day or night – whether it’s a CISO, developers or an in-house IT security person. As hackers, when we find a vulnerability, we search across the Internet to see which organizations might be affected. I once woke someone up at 3 a.m. to report a vulnerability that could have been a company shutdown event. Yet the majority of Fortune 500 companies don’t have a clear way for someone to report a vulnerability – leaving hackers to scour LinkedIn for likely contacts or guessing via email addresses like info@xx.com or security@xx.com.

Communicate after the fact as well. After you’ve patched a reported vulnerability, re-test to verify it has been fixed, and engage with the hacker again to make sure they test it as well to make sure they can't get around any of the current fixes you put in place.

Finally, if you’ve never engaged with the community or are unsure of how to get started, try to leverage a bug bounty platform as much as possible – one with a good reputation among security researchers such as HackerOne, BugCrowd or Sinack.

Technology is moving faster than our ability to secure it. Tapping the collective wisdom of the hacker community is an important tool in any security arsenal.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

Justin Calmus is OneLogin’s Chief Security Officer responsible for architecting and leading OneLogin’s risk management, security, and compliance efforts. Justin is an information security leader, researcher and hacker-turned CSO who previously served as CIO and CSO at Zenefits. A hacker himself, Calmus regularly participates in bug bounty programs and drives initiatives to foster the global hacker community.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 November

This month, Security magazine brings you the Security 500 Report, Rankings and Thought Leader Profiles. How does your enterprise compare to others? Which security programs are leading the way? Also this month, we highlight how to plan, prepare for and build resilience to protests and other unplanned events, video surveillance tools for SMBs and more.

View More Create Account

How to Work with Hackers to Make Your Company More Secure

Related Articles

Report Abusive Comment