← Back to Vulnerability Disclosure Programs
In this new digital age is my network really protected?
Everyday new headlines cross our newsfeeds of companies falling pray to hackers. Uber, DoorDash, Equifax, and British Airways among others have all been attacked and vulnerabilities in their systems have resulted in millions of dollars in legal fines. This alone should make organization stop and question what the best solution is to protect themselves in this new digital age.
How am I leaving myself vulnerable to attack?
No system is perfectly secure and vulnerabilities can be created whenever changes are made to your system. Unless someone is constantly checking for these vulnerabilities you will end up leaving a critical system flaw for a malicious hacker to exploit. Something we call a "zero day” in the industry. We call it a “zero day” because if it is exploited it sends a business back at day ‘zero’, where they start over with nothing. Data is exfiltrated, websites are vandalized, databases are wiped, backups are deleted, and confidential information is spread to every corner of the internet. A zero day vulnerability can take a $1 billion company and turn into a zero.
Why isn’t that the responsibility of my IT Team?
Your IT staff already has a full-time job with many time consuming duties to attend. They are specifically trained to build, maintain and fix issues in your system, not identify flaws. They know what the best hardware is to use, what the newest and best software available is to get the job done right. They know what to install where and who gets access to what. Their job is to keep the system running, fix errors, replace parts, maintain databases, add new content, revise old content and so on.
Who is the best skilled to find these flaws in my systems?
The answer is not your director of information technology. He is important and necessary, but his job is to protect your system not to identify flaws in it. To find the flaws you need someone trained to do that, you need hackers. You hire the best in the industry to build and manage your IT systems, but if you do not use the people best skilled to find the flaws in your system, you are leaving yourself vulnerable.
Wait, are you suggesting we should hire… hackers?
Yes. Major companies are hiring ethical hackers every day, people with the skill set of malicious hackers, but with an ethical moral compass. These ethical hackers test their systems for flaws and report back before a malicious hacker uses the same flaw to wreak havoc. Major companies including IBM, Google, Apple, Ford, Paypal, and many others all recognize the value in having both an IT department and utilizing the diverse skill set of ethical hackers to find obscure, but damaging vulnerabilities in their systems.
Let me give you an example…
If a bank wants to protect itself against robberies the first thing they do is hire security guards trained to spot robbers. They also put in appropriate security measure: bulletproof glass, dye packs, locks, and vault doors. Think of this as your IT department.
But banks go even further, because they want to ensure, to the greatest degree possible, their security measures are going to prevent robberies. Thus, they hire additional personnel skilled in locating holes in their security. Now a security guard (whose job is to spot and stop robbers) is not trained to find holes in the security. It is not his skillset. Consequently, banks hire the only people skilled at breaking their security, bank robbers or in our case hackers. It may sound absurd, but banks hire consultants, typically retired thieves who have served their time and reformed, to try and beat their systems. These consultants test the bank’s security and then make recommendations on how to improve it. It is only logical to hire the people best trained to beat your system to help you secure it.
Banks still need security guards, (in your case an IT department) but banks who do not have both security guards protecting them and reformed robbers finding flaws for them are leaving themselves vulnerable to robbery through the smallest most unnoticeable holes in their security.
With the rise of internet banking, banks realize the need to hire the equivalent of digital robbers to test their digital banking systems. So they hire ethical hackers and penetration testers to find flaws and holes in their digital systems to keep malicious hackers from using the same flaws to rob their banks. The same is true for any companies’ digital security.
How would my company find these ethical hackers?
By developing a Vulnerability Disclosure Program. The definition of this term is not widely understood. “Vulnerability disclosure” is an industry term used to describe the process of ethical hackers identifying security flaws in a company’s system. Therefore, a “Vulnerability Disclosure Program” entails establishing a clear channel of communication where ethical hackers can securely and responsibility report issues, without fear of legal backlash, knowing the issues they report will be appropriately addressed. Think of it similar to a mailbox where any ethical hacker can send their discoveries knowing the organization wants their help and will address the issues they find.
Isn’t that just as easy as just setting up a dedicated email address?
Many organizations make the mistake of initially attempting to run their own Vulnerability Disclosure Program by simply setting up an email address and referring individuals to send in their reports there. However, there is more to running a vulnerability disclosure program, the key is having individuals trained in reviewing and analyzing the reports you receive. Else you will end up making the same mistake the multi-million dollar company Valve did when it ignored a major security flaw because the right team was not managing their program (ia.acs.org.au/article/2019/valve-admits--mistake--in-ignoring-zero-day-vulnerability.html). Their mistake not only caused a massive public relations nightmare, but almost caused hundreds of thousands of their customers to be vulnerable to severe attack all because they failed to recognize the severity of the problem. Bottomline, having individuals trained in reviewing and analyzing the reports you receive is as essential as establishing a place to report them.
What companies offer this type of service?
Presently, the three companies of note offer Managed Vulnerability Disclosure Programs: Libertalia, HackerOne and BugCrowd.
What does this type of service typically cost?
Typically, managed vulnerability disclosure programs are expensive, especially with from organizations like HackerOne and BugCrowd who have fully dedicated triage teams and dozens of costly customizations.
However, Libertalia has developed an innovative pricing model that allows us to offer a completely managed vulnerability disclosure program for as little as $2,000 per month. Alternatively, for large organizations, we provide program managers who will build the program, train your team to review reports, and supervise the program on your behalf.
What makes Libertalia the better choice for my program?
While both HackerOne and BugCrowd have quality platforms and offer managed program services, there are three main problems with their services:
1) The management teams they use are not all hackers.
2) They have a consistent, public record of ignoring critical flaws (much like the team Valve used for their program).
3) Their programs are not strategically optimized to maximize the involvement and efforts of ethical hackers.
Libertalia’s service address all of these problems to provide the best, most effective vulnerability disclosure programs.
What makes Libertalia’s management team the best?
Having a management team staffed by individuals with the knowledge to make a diligent effort to properly investigate every report that is submitted. Individuals trained in reviewing and analyzing the reports receive. Individuals with a consistent record of finding critical flaws, faster and with more accuracy. Individuals that understand they must resolve these issue quickly before a malicious hacker finds and exploits the same issue. Consequently, Libertalia’s management team is staffed with ethical hackers.
The key to a quality Managed Vulnerability Disclosure Program is having the best management team staffed with hackers who understand the stakes. It is as essential as establishing a place to send reports. That said, no one will be more dedicated to keeping you safe than your own people. Thus for large organizations we recommend our Vulnerability Program Manager service, where we will train your own people to properly interact with hackers and triage reports.
Why not just hire my own security researchers instead?
Hiring just one full-time high-level security researcher would necessitate a $150,000 or more per year salary to entice them away from a high paying technology company. Perhaps instead you hire two mid-level researchers at $60,000 per year each, from which your company would receive a combined knowledge pool of 14 years experience, maximum. Additionally, these salaried workers will only find the specific problems in your system that they have experience with unless they are given some other sort of motivation (bonuses, rewards, or recognition).
This options does not provide the level of security banks and major corporations enjoy when they hire large teams of ethical hackers to protect their digital systems, however, most firms cannot affort the expense of hiring a large diverse internal team of ethical hackers. Even if they do, they still will not have the diversity in skill that can be obtained through a Managed Vulnerability Disclosure Program.
By having a Managed Vulnerability Disclosure Program your company gains access to the entire pool of ethical hackers globally who can contribute to your protection as opposed to the small number of select individuals hired internally. Dollar for dollar the level of security provided by a properly managed vulnerability disclosure program far exceeds this alternative.
Why not hire penetration testing company to accomplish the same thing?
You could hire a penetration testing company to review your company’s infrastructure on a monthly basis, which for a mid-sized organization would likely cost at least $10,000 a month. However, this only provides protection once a month instead of every day. If a vulnerability is created the day after they finish their testing you are vulnerable for the next 30 days between testing, and possibly longer if the next test fails to catch the vulnerability.
Again, this options does not provide the level of security banks and major corporations enjoy when they hire large teams of ethical hackers to protect their digital systems. However, with the advent of crowdsourced ethical hacking through Managed Vulnerability Disclosure Programs you now have the same options banks and major corporations enjoy without the same expenditure.
Does a Vulnerability Disclosure Program protect third party software we use?
Third party software is used on websites one of three ways, which determines if it is protected.
When the software is hosted directly on your website (like Wordpress’ content management system), it would typically fall within the protection of your Vulnerability Disclosure Program.
When the software is hosted external to your website and you link to the third parties’ website where they host content on your behalf (like Zendesk’s helpdesk software), it would not and cannot legally fall within the protection of your Vulnerability Disclosure Program (as it is the third party vendor’s responsibility to protect their services).
When your website accesses data hosted on your behalf by a third party (like Iterable.com), vulnerabilties in the third parties software would not fall within your Vulnerability Disclosure Program, but vulnerabilities on your website relating to the exposure of that data would fall within your Vulnerability Disclosure Program.
Is a Vulnerability Disclosure Program the perfect security solution?
No, Vulnerability Disclosure Programs are not the silver bullet of security. Companies still have to do their own due diligence at the internal corporate level, have sufficiently skilled individuals in their IT department and in their coding department, but companies who do not have both are leaving themselves vulnerable.
Can I talk to someone about hiring Libertalia to build and manage our program?
Happily. We’re glad the information presented thus far has shown the importance of utilizing ethical hackers. Please request a consultation and we will schedule a time to discuss details and help you get started.