NordVPN Breach: How Bug Bounty Programs Can Help And Resolve

What you think is your perimeter, is not your perimeter -- it’s a whole lot bigger than you think. Nobody operates in or as a self-contained system, everyone is leveraging a litany of other web assets whether that’s data servers, third party plugins/addons, WordPress hosts, or even just run-of-the-mill AWS or Azure resources.

Everyone lives in a complicated state of a billion dependencies, and each one of these further extends a given organization’s attack surface. And with this, oftentimes, companies are left unaware of their full exposure/footprint, and thus cannot protect it.

To help protect one’s ever-changing attack surfaces and landscape, I recommend implementing an open scope bounty program where researchers can report vulnerabilities- even if it’s something as simple as exposed keys on a Pastebin blob. The important thing here is offering cash incentives to ensure that there’s a driver for individuals to report these vulnerabilities, rather than leaving them in the open for someone else to deal with. Ostensibly, a number of other people saw these keys on the message board where they were posted, but it appears that nobody had the motivation to report them immediately. Offering incentives to researchers (or even bystanders who witness these things) to report things like this is an effective and important piece in making sure that any organization is a little more secure in the wild.