HackerOne

What HackerOne Customers Say About Remediating Vulnerabilities and Getting the Best Results From Hackers

HackerOne customers working with ethical hackers

HackerOne’s Security@ Global Tour series of events gives you direct access to some of our top hackers and customers. Delegates have the opportunity to ask any question about both sides of the relationship. 

In this series of blogs, we will learn from bug bounty and pentest customers from a variety of industries how they secured organizational buy-in for their programs, navigate vulnerability remediation conversations with asset owners, share their best practices for engaging with hackers, and measure success. 

Remediating Vulnerabilities 

Streamlining communication between hackers and security teams, HackerOne customers are able to quickly and thoroughly remediate vulnerabilities before they result in a breach.

"We engage with the engineering team by treating a vulnerability report as an incident, so we get the level of commitment that we’d see with a real incident. After seven years of bug bounty, we have a good process down with an additional layer of scrutiny from our internal pentesting teams on vulnerabilities so the engineering team trusts what we tell them to prioritize.”
— Omar Benbouazza, Cybersecurity Manager, IKEA Group

“Engaging with the engineers comes down to communication. Sometimes we have findings that need to be addressed quickly so we have urgent communication channels as well as plenty of direct communication outside of the usual workflow, which helps to build trust.” 
— Dominik Koehler, Senior Application Security Specialist, KONE

“It’s the responsibility of product teams to own their own security. There is a lot of curiosity and excitement around the vulnerability reports that come in. Because the product teams have an owner mentality, they are truly engaged with the findings.” 
— Dmitri Lerko, Head of Engineering, loveholidays 

Getting the Best Results From Ethical Hackers 

From preparation to communication, there are a number of ways HackerOne customers enhance their processes to get the best results from ethical hackers.

“It’s important to understand the hacker mindset. Understanding the language and how the community will interpret your policies will help run a successful bug bounty.” 
— Omar Benbouazza, Cybersecurity Manager, IKEA Group

“With bug bounty, you’re dealing with two audiences: the hacker bringing the report and the person fixing the issue. Communication style is, therefore, necessarily different. You need to be mindful that the hacker doesn’t have internal context about priorities and that not everyone is neurotypical and you need to make sure you’re communicating clearly and professionally. Recognize that the hacker worked hard on the report, so they want to see it dealt with. Internally, understand that person’s list of priorities and explain where the report fits in the wider context of business priorities. 
— Matthew Copperwaite, Senior Cyber Security Engineer, Financial Times

To gain more insights like these firsthand, check out the next stops on the Security@ Global Tour. If you're interested in learning more about how to secure organization buy-in for ethical hackers, contact the experts at HackerOne today.

 

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook