You know some hackers. They’re smart, driven, creative people. Maybe you used to hack yourself before landing your current gig. The bottom line: You know that bug bounties and other hacker-powered security approaches are a smart investment for anyone looking to build up a security infrastructure. But your higher-ups still need some convincing.
Don’t worry. To best equip you, we’ve put together the following top four reasons your management needs to look at hacker-powered security programs.
Reason 1: Consistent, effective protection
Hacker-powered security puts a global ethical hacker community on watch, 24/7, for any vulnerabilities your developers, or third party devs whose code you use, may have missed.
And let’s be clear (because the head of engineering may push back) -- it’s not sloppiness. Your devs are amazing, and they are humans who are asked to add features at an accelerating pace. Bugs happen. Let ethical hackers find them before the criminals do.
Reason 2: Pay for results
Traditional security solutions make you pay up front — usually A LOT — and you pay the same amount regardless of how many bugs they find, or how critical the bugs are.
With hacker-powered security, organisations pay only for found and validated vulnerabilities, and hackers bring nearly unlimited diversity of skills, approaches, experience, and desired compensation. In other words, organisations get an army of researchers eager to uncover and report bugs of all types and severities. Several of our customers have switched from traditional penetration testing to time-bound bug bounty challenges, in which friendly hackers test designated systems and applications for vulnerabilities over a set period of time. One of the common pieces of feedback we get from customers is that they are getting much better results with bug bounties than traditional pen-testing and at a more cost effective price.
In fact, in a recent report by Forrester Consulting found that a company switching to hacker-powered security programs for pen-testing stands to save nearly US$300,000 in net present value over three years.
Reason 3: Start small, grow slow—or fast—and get as big as you need
Everyone from enterprise businesses to startups can benefit from hacker-powered security. Increasingly, enterprise companies are insisting startups put proactive security in place before they do business with them (aka the security questionnaire).
Counting on a community of 550,000+ ethical hackers has many advantages. Scalability might be one of the biggest. Want to dip your toe in the water? Then start first with a responsible disclosure policy, or a VDP. If your budget is tight, or if you want to evaluate the number and type of reports you’ll get, this is a perfect way to start. With a responsible disclosure policy or VDP, you don’t pay hackers for their reports, so you tend to receive fewer. If your team needs more than that, then you might want to consider using third-party tool like HackerOne Response to coordinate, manage and triage all incoming vulnerability reports.
As your entire team starts to appreciate the quality and value coming from hackers, and gets used to incorporating the reports into your workflow, it’s easy to switch to a private bounty program. Some 80% of all HackerOne Bounty programs are private. In this type of program, you determine how many hackers to invite and the skills they need to have. This puts you in command of the program cost and the report volume.
Reason 4: Bug bounty programs are infinitely customisable
It’s easy to calibrate a private bounty program to make sure the number of reports you receive is manageable, both in terms of your team’s time and your budget. Soon, you’ll have a good feel for how changing the program scope, the bounty amounts, and the number of invited hackers changes the report volume. Soon enough, you may decide, as Priceline recently did, that the time is right to launch a public Bounty program.
There you have it. The top four reasons your management needs to look at hacker-powered security programs. Did we miss something? Please let us know!