One of the issues I’ve seen in companies is the idea that we can do it all, on our own, when it comes to security. One underlining issue is nasty vulnerabilities on company websites. We can test all day every day for vulnerabilities, but it’s similar to when an author writes and attempts to edit his/her own book, they miss that significant typo without realizing it.
So how can we find outside editors with sharp eyes? Initially, for the AlienVault website, we had a simple web page to explain how to report vulnerabilities found on our website via email. This was great but it created a new set of issues of having to manually manage these reports via a spreadsheet. We tried to script automated responses and wrote a query to sift out duplicated reports, but it took a lot of time and effort. We needed to find a better way to manage our vulnerability reporting program, which we determined was HackerOne.
With HackerOne and their triage services we now have a sturdy database with ticketing capabilities. Here at AlienVault we’ve also taken advantage of their 3rd party ticketing system integration so once the triage team deems a ticket both a valid vulnerability and not a duplicate, we create a ticket directly in our ticketing system with all pertinent information. Bi-directional communications go through our ticketing system, ensuring nothing is lost or accidentally forgotten.
This requires only one project manager to interact with HackerOne and the contributing hackers to verify that issues are resolved. When issues are resolved, we (the contributing hacker and AlienVault Project Manager) can decide on the proper disclosure of the vulnerability to the public. The purpose of public disclosure via HackerOne is to show a few things:
- That we are transparent and part of the community in the idea to help secure our internet.
- To allow for recognition of external security researchers and hackers, as they deserve applause for their contributions.
- And finally, to share how to fix/remediate the vulnerability with fellow security professionals.
The whole program and process has increased our efforts to secure our domains. What used to be a 5 day response and an unknown remediation time is now merely a 1-2 day response with a reasonable remediation timeline.
This new process with HackerOne has enabled us not just to streamline our vulnerability reporting and increase our response time thank our researchers by rewarding them reputation points.
Click here for more details on the AlienVault HackerOne program. Here’s a sample of our Thank You page, where we recognize the contributions of volunteer hackers!