ConnectWise has launched a bug bounty programme to improve the quality of its software. The programme will be managed by HackerOne, who run programmes for many organisations. At present, there are no entries on the HackerOne website for ConnectWise other than that it is an external programme.
Tom Greco, Director of Information Security, ConnectWise said: “Cyber criminals move fast, so we have to move faster. Employing a bug bounty program with the help of HackerOne, the industry leader in this space, will allow us to do just that by finding issues before bad actors get a chance to exploit them.
“Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community’s expertise and participation in helping us keep our products secure. As we said earlier this year, the launch of this Bug Bounty program is yet another important addition to our security arsenal – and it’s the latest piece of our overall strategy to strengthen our own security standing so that we can better protect our partners and their SMB customers.”
What is ConnectWise offering?
A good question and one that ConnectWise has not responded to. The entry on HackerOne simply says that this is a private programme with no other entries. It is also only open to invited hackers to search for vulnerabilities. As a result, there is no detail on what will be paid for finding a vulnerability or how the vulnerabilities will be rated. The latter is important, as most companies create payment bands based on severity.
Importantly, ConnectWise has said that it will respond to every vulnerability reported through HackerOne. It means that everyone should get paid unless there is proof that the vulnerability had previously been reported.
ConnectWise is also going to continue to make its disclosures through the ConnectWise Trust Site. What is unclear is if it will continue to accept submissions for vulnerabilities through Trust Site and if it will merge that into the HackerOne run programme.
It also remains to be seen if ConnectWise will make this an open programme or keep it as invite-only.
Enterprise Times: What does this mean?
Creating a bug bounty programme is something every software vendor should do. Unfortunately, while many have gone down this route, not all bug bounty programmes are equal. Payment rates differ across the various bug bounty platforms, and so does trust.
There are plenty of stories of vendors not responding to an alert and then silently patching vulnerabilities. This means that those security researchers looking to use this route to earn a living are often left unpaid while the vendor moves on.
The important part of this announcement, however, is that it does not mean that Trust Site is going away. Less clear is the relationship between that and the HackerOne run programme.
For ConnectWise customers, this is a good news announcement that should deliver stronger and more robust software going forward.