Canadian e-commerce giant Shopify is revolutionizing digital trading. The Ottawa-headquartered firm’s propriety e-commerce platform for online stores and retail point-of-sale systems has been hugely successful since the platform’s inception in 2005. As of December 31, 2018, Shopify reported having 800,000 businesses using its platform in approximately 175 countries, generating more than $100 billion worth of sales.
That’s a whole lot of exposure if Shopify’s proprietary platform is breached by bad hackers – and that’s why the e-commerce company has held multiple live hacking events to incentivize white hat hackers to identify any potential vulnerabilities on its platform. In its most recent short-term hackathon in October 2018, Shopify paid out $116,000 to successful white hat hackers and security researchers.
Companies can make use of white hat hackers through what’s known as a bug bounty program. In its simplest form, this is when companies invite the public to hack into their outward facing networks to see if they can identify any bugs or malware that could be exploited in some way or that could lead to a data breach. Successful bug bounty hunters – those who find a bug and report it in a timely and relevant fashion to the company – typically receive some form of compensation.
“When running a bug bounty program, companies need to make sure they set up a program to allow bug bounty hunters to communicate back to the organization,” said John Farley, managing director, cyber practice group leader, Gallagher. “It’s basically a playbook for the bug bounty hunter, explaining how they’re supposed to communicate their findings to the organization so that the right people can remediate any issues as quickly as possible.”
Bug bounty programs sometimes get confused with penetration testing, often referred to as pen testing. Whereas bug bounty programs are vast, continuous, and often open to the public, pen testing is more of a direct, pay-per-project, limited program set up with a vendor. Pen testing often has to be done to fulfil audit and compliance requirements, and the programs are usually limited in time and scope.
“It’s not an either / or situation when it comes to bug bounty programs and pen testing,” said Deborah Chang, vice president of business development and public policy at HackerOne, a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. “At HackerOne, we view bug bounty programs as being supplemental to pen testing, as they’re used for different purposes. Good hackers or security researchers are always out there looking for bugs in the same manner as bad guys, so we feel it’s important to have, at a minimum, a vulnerability disclosure program (an unpaid bug bounty program) to encourage the good actors to report the bugs before the bad actors exploit them.”
Bug bounty programs will never solve all of a company’s cybersecurity issues. The idea behind the programs is to “get as many eyes on to a product as possible … it’s a numbers game,” according to Matthew Honea, director of cyber for Guidewire Cyence Risk Analytics, and recreational white hat hacker. The more eyes you have looking for the bounty, the more likely the good guys will find the bugs first.
“The bugs are out there. No matter how good your organization’s design team is, no matter how strong your programmers are, no matter how much discipline you have in your processes, your architecture and the design of your systems, you’re going to have vulnerabilities,” commented Ronald Raether, partner at Troutman Saunders, and leader of the firm’s Cybersecurity, Information Governance and Privacy practice group.
“One of the realities of a bug bounty program, from my perspective, is that it helps control messaging,” he added. “One of the critical elements in breach response is to be able to control messaging around the event in order to alleviate the depravation of goodwill. A bug bounty program will enable [companies] to incentivize hackers to inform them of any vulnerabilities rather than making them public knowledge by sharing them on blogs and so on.”