You know some hackers. They’re smart, driven, creative people. Maybe you used to hack yourself before landing your current gig. The bottom line: You know that bug bounties and other hacker-powered security approaches are a smart investment for anyone looking to build up a security infrastructure. But your higher-ups still need some convincing.
Good news -- you're not alone! This blog gives you the ammo you need to get buy-in.
Reason 1: Consistent, effective protection.
Hacker-powered security puts a global ethical hacker community on watch, 24/7, for any vulnerabilities your developers, or third party devs whose code you use, may have missed.
And let’s be clear (because the head of engineering may push back) -- it’s not sloppiness. Your devs are amazing, and they are humans who are asked to add features at a breakneck and accelerating pace. Bugs happen. Let ethical hackers find them before the criminals.
Reason 2: Pay for results.
Traditional security solutions make you pay up front—usually A LOT—and you pay the same amount regardless of how many bugs they find, or how critical the bugs are.
Pen testing used to be a frustrating process. What they were finding wasn’t relevant. For example, they said the password was being exposed in the computer’s memory. What does it matter? If you broke in and got physical access to the computer, you could put in a keylogger. They weren’t finding practical exploits. - HackerOne customer, interviewed by Forrester
In the words of another customer who switched from a traditional penetration testing firm to HackerOne: “HackerOne is a much better cost model than red-team pen testing. It is far cheaper to run bug bounties than do traditional pen testing. And you get much better results.”
In fact, Forrester Consulting interviewed multiple such customers and found that a company switching to HackerOne for pentesting stands to save nearly $300,000 in net present value over three year. Grab this report here.
Reason 3: Start small, grow slow—or fast—and get as big as you need.
Everyone from enterprise businesses to startups can benefit from hacker-powered security. Increasingly, enterprise companies are insisting startups put proactive security in place before they do business with them (a la the security questionnaire).
Counting on a community of 450,000+ ethical hackers has many advantages. Scalability might be one of the biggest. Want to dip your toe in the water? Post a Responsible Disclosure Policy with HackerOne Response. If your budget is tight, or if you want to evaluate the number and type of reports you’ll get, this is a perfect way to start. With Response, you don’t pay hackers for their reports, so you tend to receive fewer.
As your entire team starts to appreciate the quality and value coming from hackers, and gets used to incorporating the reports into your workflow, it’s easy to switch to a private bounty program. Some 80% of all HackerOne Bounty programs are private. In this type of program, you determine how many hackers to invite and the skills they need to have. This puts you in command of the program cost and the report volume.
Reason 4: HackerOne is infinitely customizable.
It’s easy to calibrate a private bounty program to make sure the number of reports you receive is manageable, both in terms of your team’s time and your budget. Soon, you’ll have a good feel for how changing the program scope, the bounty amounts, and the number of invited hackers changes the report volume.
Soon enough, you may decide, as Priceline recently did, that the time is right to launch a public Bounty program.
HackerOne continuously adds new integrations and solutions to meet your needs. Out of the gate, we offer bi-direction integrations with popular dev tooling like GitHub, Jira, and more. And our well-documented API lets you do just about anything you can imagine.
For organizations that need precise control, HackerOne Clear ensures that only proven, verified, and background-checked finders participate in your program. HackerOne Clear VPN locks down all connections and provides complete visibility to all program activity.
Our services team can also help with program set-up and operations. Many customers choose to offload report triage to our team. Here, we handle all the communication with hackers to collect the necessary information to ensure each report is valid and actionable. This frees your staff to focus on prioritizing reports and remediation.
There you have it. The top four reasons your management needs to look at HackerOne. Did we miss something? Please let us know!