<Note: This is the third in a six-part series expanding on the “key findings” of the Hacker-Powered Security Report 2017. Based on data gathered from over 800 hacker-powered security programs, plus surveys of both those managing the programs and the participating hackers, the report provides striking new insights to help more organizations understand and implement hacker-powered security. Read part 1, & part 2.>
When hackers provide value, from simply disclosing a vulnerability to doing the deep research required to find a critical bug, they appreciate thoughtful engagement with the organization they’re helping. What that means is a canned email response isn’t good enough these days, especially if you want to find and build relationships with the best and brightest hackers.
Hacker-Powered Security Report Key Finding #3: Responsive programs attract top hackers.
The Hacker-Powered Security Report found that hackers are overwhelmingly attracted to the programs that are the fastest at acknowledging, validating, and resolving submitted vulnerabilities. Even better for organizations is that repeat hackers are to thank for the majority of valid reports. Bottom line: loyalty matters!
When a hacker reports a bug, a fast response and meaningful ongoing communications helps plant the seeds of loyalty. Just as you want to work for an organization that values your effort and provides feedback and guidance, hackers want the same thing. Acknowledging receipt of the report is just the start. Asking and answering questions and providing status updates all go a long way into building a relationship with hackers, which makes them want to work with you again and again.
Why is this important? In separate research, we found that top programs attract more, and more repeat, hackers. Repeat hackers also find more bugs, since they’re familiar with your products. The more time a hacker spends looking at your software, the more valuable their reports are likely to be. In other words, loyal hackers offer more value to you and your security.
But while hackers like communications, they also like getting paid. If responsiveness is the seed of loyalty, faster payment of bounties offers the, um, fertilizer for those seeds. Resolving a reported bug adds further nourishment to hacker relationships.
Organizations who embrace hacker-powered security are recognizing the value of not only responsiveness in communications, but in speed of payment and bug resolution. By industry, the Hacker-Powered Security Report found that ecommerce and retail organizations, on average, pay bounties 32 days from when the bug is reported. That’s pretty fast, but what’s most impressive is those organizations who also fix bugs in that same window.
You can see all of this data and more, by industry, in the Hacker-Powered Security Report.
Check back next week for our dive into the Hacker-Powered Security Report’s number four key finding: bounty payments are increasing!
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.