White-hat hackers are experts at discovering vulnerabilities and they want to help you improve your security. You may never be able to hire them for a full-time position, but they can play a key role in protecting your web application. Here are three ways to leverage their knowledge and keep your website safe.
1. Responsible disclosure
Most companies first approach the security community by implementing a responsible disclosure policy. Responsible disclosure allows security researchers to look for vulnerabilities and report them to the vendor without running the risk of legal action. Having a responsible disclosure in place signals that an organisation is open to vulnerability reports from white-hat hackers.
Responsible disclosure (Click to enlarge)
Tech giants in Silicon Valley were the first to implement responsible disclosure despite having security teams of their own. This shows that everyone, regardless of organisation size and the level of internal security knowledge, can benefit from asking white-hat hackers for help.
Getting started
Before you go ahead and implement a responsible disclosure policy, make sure you have the resources and a process to follow up on vulnerability reports. Receiving your first report can be stressful, but establishing a routine for evaluating reports and fixing vulnerabilities will help you keep your security work structured. If you’d like to get started with responsible disclosure, can take a look at our Guide to Responsible Disclosure that answers some commonly asked questions.
2. Bug bounty
If responsible disclosure is the first step towards bringing businesses and white-hat hackers closer together, bug bounty is what comes next. Bug bounties are essentially responsible disclosure programs that reward white-hat hackers for reporting vulnerabilities. The rewards can be anything from t-shirts and stickers to payouts adding up to thousands of dollars.
Bug bounty (Click to enlarge)
Bug bounties often receive considerable attention in the media, especially when large monetary rewards are involved. You may have heard of companies like Google paying out immense sums to white hats who reported critical vulnerabilities to them. Back in 2014, our security researchers discovered a vulnerability that gave them read access to Google’s production servers, which resulted in a $10,000 bug bounty. However, this is by no means the biggest bug bounty payout of all times!
Getting started
The majority of companies do not run bug bounty programs on their own, but partner with a dedicated platform like HackerOne or BugCrowd. Using a platform makes it easier for the organisation to structure their bug bounty program and get access to white-hat hackers who can help them find vulnerabilities.
3. Automated bug bounty – Detectify Crowdsource
With responsible disclosure and bug bounty programs, companies can only remediate one vulnerability at a time. Turning to the security community is a step in the right direction, but what if white-hat knowledge could scale? This is a question we are aiming to answer with our crowdsourced security platform Detectify Crowdsource.
Detectify Crowdsource is an invite-only ethical hacking platform that combines bug bounties with automation. Skilled white-hat hackers discover vulnerabilities in widely used technologies and submit their findings to Crowdsource. All submissions are reviewed by Detectify’s security team and those that are accepted are built into the Detectify scanner. This way, every submission is turned into a security test that runs on our customers’ websites.
Detectify Crowdsource (Click to enlarge)
Instead of only securing a single web application, one vulnerability report can secure thousands! Everytime the security test identifies a vulnerability, the white-hat hacker that submitted the finding gets a payout.
White-hat hackers who submit their findings to Detectify Crowdsource can also participate in traditional bug bounty programs as we don’t require exclusivity. As long as the discovered vulnerability can be automated, we’re interested in it!
Getting started
If you use Detectify to monitor your security, you are already benefiting from what Crowdsource has to offer. Every time you scan your web application with Detectify, your scan includes crowdsourced security tests. All findings that were discovered using a module from Crowdsource are tagged with the “Crowdsource” tag.
If you are not using Detectify yet, you can give it a try by signing up for our free trial that gives you access to all Detectify security tests, including those sourced from Crowdsource.
All findings sourced from Detectify Crowdsource are tagged with the “Crowdsource tag”