Software vendor ConnectWise has launched its first bug bounty program as part of its overall strategy to improve security this year.
The program, which officially launched a few weeks ago, aims to improve ConnectWise’s internal testing practices by detecting security vulnerabilities in its remote management software as quickly as possible. To do so, the vendor partnered with bug bounty platform HackerOne, which helps enterprises manage vulnerability reporting and bug bounty programs. A bug bounty is a monetary award given to an ethical hacker who reports valid security weaknesses to an organization.
Tom Greco, director of information security at ConnectWise, said his company followed HackerOne’s guidance on new bug bounty programs starting out as private programs.
“Private means that our program is in their system and they will invite a certain population of hackers and then increase that population over times. A private program is meant to help folks when they get into a program to gauge the volume and the ability to address the issues and be successful from the start,” he said.
While the program will focus on prioritizing their remote management monitoring and remote access tools first, Greco said there’s no product that’s out of scope for the program. The program also follows HackerOne guidance and industry standards regarding payouts, which includes tiered bounties and increases them over time. Right now, the highest-level severity issue pays around $2,000.
“Higher the severity, higher the payout, and it’s based on CVSS scores,” Greco said. “Everything that’s coming through the program is going through our same remediation workflow — get scored, prioritized and remediated based on risk.”
Greco said there were several reasons ConnectWise chose HackerOne. “We felt very comfortable with the breadth and depth of their hacker community. They also demonstrated their ability to be a long-term strategic partner,” he said. “It’s not just to get the program up and running, we need to keep evolving and improving.”
A vast majority of ConnectWise customers are managed service providers (MSPs) that use the vendor’s remote management software to provide IT services for small-to-medium businesses. Several major ransomware attacks have hit MSPs in recent years, which allow threat actors to use the remote access to infect dozens of MSP clients. In some cases, threat actors have exploited security vulnerabilities in remote management software like ConnectWise’s.
Earlier this year ConnectWise announced a strategy to strengthen its overall security posture. In addition to the bug bounty program, the vendor introduced new security training and certification events to help MSP customers address rising threats. The company also added a security operations center with capabilities to perform endpoint detection and response, Greco said.
“My role here since I started over one year ago has been to look strategically and improve the security practice across the entire spectrum of the program. Certainly, given our industry, one area of focus has been application security,” he said. “Everything we have been doing since last March — from developer training through what we’re doing to improve security by design capabilities and our own internal testing practices and to complement that, that’s where the bug bounty program comes in.”
ConnectWise also launched a security bulletins capability, which allows them to communicate security issues to their partners.
“With that information on hand, they can understand what, if anything, they need to do about it so any issues that are coming from any of testing capability including the bug bounty program will follow that same remediation flow. Make sure our partners have that information as quickly as possible.”
While the COVID-19 pandemic has made people more reliant on technology and remote access into systems, ConnectWise was already well along in their strengthened security strategy around March when coronavirus outbreak hit the U.S. HackerOne research showed that 30% of business globally have seen an increase in attacks on their IT systems as a result of the pandemic. It also revealed a 56% increase in hacker sign-ups on the HackerOne platform since March compared to the same time last year.
“The strategy was already in place but that’s not to say we didn’t increase our vigilance in all areas: monitoring security and incident response. As far as strategic components, though, we didn’t change that much,” Greco said.
The bug bounty program was a natural next step in ConnectWise’s security evolution, Greco said.
“It connects us to our community and helps us to bring another promise to be more transparent around the security of our products,” he said.
During the first few weeks of the program, Greco said they are already seeing value.
“We haven’t limited ourselves in any way, shape or form, whether we’re going to stay private or eventually go public. Let it evolve, then we’ll make decisions we need to make as we go along.”