Jedox was recently named a Leader in the Gartner Magic Quadrant for Financial Planning Software. One criterion related to being named to the Leader quadrant is how mature an organization is when it comes to security, availability, and risk mitigation. Securing Jedox software and ensuring best-in-class cybersecurity safeguards for its customers is a priority for Jedox security, product, and engineering development teams.
After gaining insights and realizing success with HackerOne pentests, Jedox transitioned an internally developed Vulnerability Disclosure Program (VDP) to a private, HackerOne-managed bug bounty program in 2021. In summary, this program surfaces vulnerabilities verified by the HackerOne triage team, shared with the Jedox support ticketing system through an API, and tracks the current status of mitigation efforts until the issue is resolved and retested.
We asked Vladislav about the value ethical hackers add to Jedox’s cloud security strategy.
Q: People might be surprised to learn that you work with hackers, and proactively invite them to try and attack your assets. Why do you do this?
A: Working with hackers is strategic for Jedox. Here’s why:
Early Detection: hackers can uncover vulnerabilities that might otherwise go unnoticed. By proactively inviting them to test our assets, we gain insights into potential weaknesses.
Real-World Testing: hackers simulate real-world attacks, providing practical scenarios that help us fortify our defenses.
Collaboration: engaging with hackers fosters collaboration between security experts and our organization, leading to continuous improvement.
Q: I imagine when you started, there were fears about working with hackers. How did you go about building trust between hackers and your organization?
A: Initially, our team was reluctant to work with hackers. To build trust, we established communication and processes based on:
Transparency: we clearly communicate our intentions and goals.
Fairness: we treat hackers ethically, respecting their efforts and contributions.
Acknowledgment: publicly recognizing their findings builds trust for the benefits of ethical hacking.
Q: How does your bug bounty program fit within your wider security strategy, and what makes it a need-to-have instead of a nice-to-have as part of the security strategy for Jedox?
A: Our bug bounty program is essential because it offers us:
External insights: it complements internal security efforts by tapping into external expertise.
Timely fixes: rapid identification and resolution of vulnerabilities enhance our overall security posture.
Risk mitigation: it augments the size, skills, and speed of our team to reduce the risk of undetected issues affecting our customers.
Q: How do security researchers help you when developing new products or software?
A: Security researchers play a crucial role by
Threat modeling: they help us identify potential risks during product design.
Code review: their expertise ensures secure coding practices.
Testing: researchers rigorously test new features, APIs, and integrations.
Q: How are you incorporating AI into your product strategy, and how do you see hackers helping you secure your AI deployments/offerings?
A: AI is integral to our product strategy, meaning it is integrated into our offerings. When hackers test our product, they indirectly test our AI-based capabilities.
Q: How do you measure the success of your program, and internally, how do you report to your organization on the value of working with hackers?
A: When we fund the bug bounty program, we look at success metrics including:
Quality of reports: clear, actionable reports from hackers.
Reduced risk exposure: fewer critical vulnerabilities.
Vulnerability closure time: how quickly issues are resolved.
These KPIs are measured on a monthly basis and are incorporated into my “CTO Dashboard." I use this to monitor changes over time and adjust for changes in trends.
Q: What advice would you give to anyone considering a bug bounty program?
A:
Scope Clarity: Define clear boundaries for testing. What is in the program, and what is not?
Competitive financial rewards: Offer competitive rewards to attract skilled hackers. Know your limits and ensure you spread them wisely. When expanding the scope of your program, I suggest doing an internal assessment first before opening the program for bounties – you can run out of budget quickly.
Feedback loop: Regularly engage with hackers and provide timely feedback.
Remember, collaboration with hackers isn’t just about finding flaws within a particular software or system approach; it’s about building a stronger security ecosystem that increases trust for SaaS offerings and demonstrates qualitative and quantitative value for new collaborative strategies when compared to legacy, internal-only processes.
