The article introduces about how a company can work with hackers to make sure security. The article includes two examples. The first one is about Facebook. Facebook provided data abuse bounty to reward reports of misuse of data by app developers. The rewards encourage hackers to attack the system for security. The second example is Google. Google provided rewards to the hackers who have techniques that target its abuse and spam programs. Companies need to work with hackers because there are different hackers in the world. They focus on different vulnerabilities. If companies work with them. The vulnerabilities will be discovered. In addition, hackers can also help companies re-test the patched vulnerabilities. After a vulnerability is reported, the company should take actions to fix it and test it again. It is a good way to communicate with hackers when they attack the patched vulnerabilities.
https://www.securitymagazine.com/articles/89469-how-to-work-with-hackers-to-make-your-company-more-secure
Brock Donnelly says
I really don’t know how to feel about bug bounties. They seem like they could be the Achilles heel of the over confident. Come one and all, see what you can do to our systems… If you get into anything we will reward you, but only if you tell us and operate within the boundaries that “we” choose. It sounds beneficial to both parties but companies that do this are really opening up the door for hackers of all types to attack their system. How many of those looking for bounty do you think actually read the terms and conditions for the hunt? I did a little digging online to find some cons about bug bounties. Below are some serious negatives.
– You Will Hardly Distinguish Black Hats and Legitimate Researchers in Your Logs
– Do Not Expect Researchers to Take Into Consideration Your Risk Strategy When Reporting Bugs
– Few Researchers Will Carefully Read Your Bug Bounty Guidelines and Conditions
– Bug Bounty Requires Very Serious Technical, Human and Thus Financial Resources
– Unexpected Testing Methodologies and Techniques Will Regularly Appear on Your Horizon
– Bug bounty cannot replace continuous monitoring of your web infrastructure
– Bug bounty cannot serve as an additional protection layer to your web infrastructure
– Bug bounty is not suitable to test private systems
– They reward “bad” behavior.
So I ask anyone, do you think this is something that could be complete “in house.” It would make a hell of a job market. Or rather should companies use consultants for this?
Connor Fairman says
Very interesting article and great response, Brock. I hadn’t thought of the possibility that it’d be hard to distinguish between the activity of contracted hackers and people actually trying to do serious damage. Perhaps this could be a tactic of sorts, or an opportunity for cooperation: one of the contracted hackers communicates with an accomplice that is able to slip in amidst the activity of the people hired by the company to hack them. Another sneaky benefit of this is that a company or law enforcement agency could bring on these hackers to attack a system in order to learn their habits and tendencies, which could be used to identify them in the future when they commit real crimes. This could also help law enforcement agencies and companies keep up to date on hackers’ tactics as they develop with new innovations coming into the market.
Ruby(Qianru) Yang says
Interesting article, I like the idea that company can set up an effective hacker-engagement program if company understand that hackers want to be treated with respect and dignity, and that they want to be paid for their time – or at least acknowledged for their contribution. Acknowledgment can be as simple as a thank you or a piece of swag with the company logo on it. But if an alert hacker spares you significant harm, pay that person commensurate with impact of the discovery.