Published on October 23rd, 2019 📆 | 3794 Views ⚑
0NordVPN Breach: How Bug Bounty Programs Can Help And Resolve
Grant
McCracken,
Director, Solutions Architecture, 
Bugcrowd
October 22, 2019
Nobody operates in or as a self-contained system.
What you think is your perimeter, is not your perimeter -- itās a whole lot bigger than you think. Nobody operates in or as a self-contained system, everyone is leveraging a litany of other web assets whether thatās data servers, third party plugins/addons, WordPress hosts, or even just run-of-the-mill AWS or Azure resources.
Everyone lives in a complicated state of a billion dependencies, and each one of these further extends a given organizationās attack surface. And with this, oftentimes, companies are left unaware of their full exposure/footprint, and thus cannot protect it.
To help protect oneās ever-changing attack surfaces and landscape, I recommend implementing an open scope bounty program where researchers can report vulnerabilities- even if itās something as simple as exposed keys on a Pastebin blob. The important thing here is offering cash incentives to ensure that thereās a driver for individuals to report these vulnerabilities, rather than leaving them in the open for someone else to deal with. Ostensibly, a number of other people saw these keys on the message board where they were posted, but it appears that nobody had the motivation to report them immediately. Offering incentives to researchers (or even bystanders who witness these things) to report things like this is an effective and important piece in making sure that any organization is a little more secure in the wild.
Gloss