Currently, only about 7% of all vulnerabilities are found through bug-bounty programs, because many major software vendors do not offer rewards to researchers who find vulnerabilities in their software or web services. In the past two years, bug bounties and crowdsourced security initiatives have taken off. "The best possible results come from the combination of the creativity we get from humans, the incentives that are driven through bounties, and the scale and efficiency we achieve with our purpose-built technology." "We always leverage a bug bounty as part of the solution," said Jay Kaplan, co-founder and CEO of Synack. Is this combination of crowdsourcing vulnerability-finding efforts and offering bug bounties the key to better security? Experts weigh in on the matter.Ĭrowdsourced security firm Synack believe the combination is potent. While such exercises are generally referred to as penetration tests, this effort had a significant difference: The exercise harnessed the power of crowdsourcing, marshaling independent-though vetted-researchers to attack the systems. The latest effort in the "Hack the Pentagon" program, the exercise aimed to find vulnerabilities so that digital defenses could be shored up before malicious attackers found those same weaknesses. The attacks were part of a test that targeted a copy of the file-transfer network inside the Pentagon-a cyber-range designed to allow attackers to find vulnerabilities without putting the actual systems at risk. Earlier this year, a crew of 80 hackers targeted systems at the US Department of Defense and, within hours, started to find critical flaws in the system. But this was no security breach.
0 Comments
Leave a Reply. |