A Bug Bounty Program is a deal that is offered by many websites, organizations, and software developers where individuals can receive recognition and monetary payment for reporting bugs or vulnerabilities in a vendor’s product offerings. Products can be hardware, software, services, or website.
Bug Bounty programs encourage the responsible disclosure of critical bugs to the software vendor. Responsible disclosure means the vendor is given a reasonable timeframe within which to address and fix the vulnerability or bug before the security researcher can release their findings to the public. In most cases the vendor and security research work hand-in-hand to validate the fixes actually work, and then once a patch is released and the vendor’s clients are properly secured the security researcher may release the details of their work.
Google, Facebook, and Reddit are examples of organizations that use bug bounty programs to help secure their software.
CyberHoot’s Bug Bounty Program
What Does This Mean For My SMB?
If you’re an SMB that does software development of any kind, then it behooves you to create a bug bounty program. Modest bug bounty programs have been shown to encourage the responsible reporting and disclosure of critical bugs in software. However, if you are building a program, make sure you systematize your program. There are many challenges you must meet in your Bug Bounty program as outlined in this article: 5 Questions to Answer Before Creating Your Bug Bounty Program.
For most other SMBs and MSPs not involved in software development, you won’t need to trouble with such a program. Where SMBs and MSPs need to focus their attention is on developing their process for handling critical vulnerability alerts. It is vitally important that you have a process to quickly assess risk and make important, time-sensitive decisions, about how to react to critical vulnerabilities. With a Vulnerability Alert Management Process (VAMP) in place, you can have a clear guide to when to jump and how high to jump for a given vulnerability or exposure.
In order to stay up to date at all times, it’s important to deploy a cloud-based patch management solution to automatically update software whenever and wherever necessary. Most Managed Service Providers leverage one of the big three Remote Monitoring and Management (RMM) solutions (Connectwise, Datto, and Kaseya) for patching their managed systems. These RMM solutions also provide monitoring, and remote access in addition to tested and validated patching services to their clients.
SMB and MSP PROTECTIONS BEYOND PATCH MANAGEMENT
In addition to adopting a patch management system, CyberHoot recommends the following best practices to protect individuals and businesses against, and limit damages from, online cyber attacks:
- Adopt a password manager for better personal/work password hygiene
- Require two-factor authentication on any SaaS solution or critical accounts
- Require 14+ character Passwords in your Governance Policies
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Backup data using the 3-2-1 method
- Incorporate the Principle of Least Privilege
- Perform a risk assessment every two to three years