Remediating Vulnerabilities
Streamlining communication between hackers and security teams, HackerOne customers are able to quickly and thoroughly remediate vulnerabilities before they result in a breach.
“We engage with the engineering team by treating a vulnerability report as an incident, so we get the level of commitment that we’d see with a real incident. After seven years of bug bounty, we have a good process down with an additional layer of scrutiny from our internal pentesting teams on vulnerabilities so the engineering team trusts what we tell them to prioritize.”
— Omar Benbouazza, Cybersecurity Manager, IKEA Group
“Engaging with the engineers comes down to communication. Sometimes we have findings that need to be addressed quickly so we have urgent communication channels as well as plenty of direct communication outside of the usual workflow, which helps to build trust.”
— Dominik Koehler, Senior Application Security Specialist, KONE
“It’s the responsibility of product teams to own their own security. There is a lot of curiosity and excitement around the vulnerability reports that come in. Because the product teams have an owner mentality, they are truly engaged with the findings.”
— Dmitri Lerko, Head of Engineering, loveholidays
Getting the Best Results From Ethical Hackers
From preparation to communication, there are a number of ways HackerOne customers enhance their processes to get the best results from ethical hackers.
“It’s important to understand the hacker mindset. Understanding the language and how the community will interpret your policies will help run a successful bug bounty.”
— Omar Benbouazza, Cybersecurity Manager, IKEA Group
“With bug bounty, you’re dealing with two audiences: the hacker bringing the report and the person fixing the issue. Communication style is, therefore, necessarily different. You need to be mindful that the hacker doesn’t have internal context about priorities and that not everyone is neurotypical and you need to make sure you’re communicating clearly and professionally. Recognize that the hacker worked hard on the report, so they want to see it dealt with. Internally, understand that person’s list of priorities and explain where the report fits in the wider context of business priorities.
— Matthew Copperwaite, Senior Cyber Security Engineer, Financial Times
To gain more insights like these firsthand, check out the next stops on the Security@ Global Tour. If you’re interested in learning more about how to secure organization buy-in for ethical hackers, contact the experts at HackerOne today.