Modern field guide to security and privacy

Want better cybersecurity? Welcome more hackers into your systems.

Crowdsourcing can be a powerful tool for shoring up digital defenses, but it’s only as strong as the diversity of the crowd.

|
Leah Mills/The Christian Science Monitor
During Passcode's Bug Bounty Lightning talks on February 14, 2017 at Uber's San Francisco offices, Justin Calmus and Lauren Koszarek of HackerOne talked about the community of white hat hackers submitting vulnerabilities to bug bounty programs.

San Francisco — When even the Department of Defense has a “bug bounty” program to find and fix vulnerabilities before adversaries can exploit them, it’s not a stretch to say the concept of encouraging friendly hackers to try to crack an organization’s digital defenses is now a widely accepted security practice. 

But the idea works much better when security managers open the gates to a wider set of hackers across a fuller range of their systems — a shift that takes greater trust and relationship building, said Justin Calmus, vice president of hacker success at HackerOne, at a Passcode event Monday on the sidelines of the RSA Conference.

“There’s a common misconception that hackers do not play by the rules,” said Mr. Calmus.

Concern that security researchers may sell what they find on the black market, Calmus said, ignores the fact that “we have hackers making upwards of $500,000 a year. Why would you risk that to go down [the black market] path?”

HackerOne helps companies set up and manage their bug bounty programs. The most successful ones, said Calmus, draw in a diversity of hackers, encouraging them to look across a wide variety of systems, and give them up-front information to save them time.

Not all hackers are interested in the same sorts of problems, a point underscored by Luke Young, a senior security engineer at LinkedIn who reports bugs through HackerOne’s platform.

When he was a teenager, Mr. Young looked to turn digital vulnerabilities into quick recognition and a cool t-shirt from companies he admired.

In college, he wanted to make money more efficiently, so he shifted to bugs that were unique and had a higher payout.

After college, he hunted occasionally just to stay sharp and challenge himself, meaning he would go after only very nuanced bugs.

These different motivations lead these security researchers to focus in different places. Some hunt Web vulnerabilities, others look into network security and infrastructure security.

“When you combine all these different types of skillsets and you have such a large scope, your company’s risk profile drops significantly,” said Calmus.

Bug bounty hunters also live all over the world, with India and Brazil being sources of top talent. Attracting an international mix of researchers can be helpful in finding security gaps in localized versions of software and in having eyes on your systems all day, every day.

Cultivating strong relationships with a broad range of researchers increases the chances of getting early warnings. When Calmus worked on security for HR software company Zenefits, he once got a message at 2:00 a.m. from a bounty hunter who wanted to make sure he knew immediately about a vulnerability.

“It makes me feel really good to know that I have that relationship built that somebody can text me at any point in time … and they just have your back,” he said.

These relationships also can lead to good hires. Young landed an internship at LinkedIn as a teenager after he brought bugs to their attention. Finding application security engineers is notoriously difficult, but bug bounty programs help managers identify talented programmers and begin to court them — and bring them onto the teams that help secure software in the first place.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Want better cybersecurity? Welcome more hackers into your systems.
Read this article in
https://www.csmonitor.com/World/Passcode/2017/0224/Want-better-cybersecurity-Welcome-more-hackers-into-your-systems
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe