Just over two years ago, General Motors became the first major automaker to launch a public Vulnerability Disclosure Program (VDP). Its purpose? To protect its customers by working with hackers to safely identify and resolve security vulnerabilities. Since the program launched in 2016, GM has resolved more than 700 vulnerabilities across the entire supply chain, with help from hackers.
 
“We value the expertise of the security research community, and have been very pleased with the program’s performance to date,” said Jeff Massimilla, Vice President Global Cybersecurity at GM. “Researchers are engaged, and the quality of information we’re receiving is extremely valuable and is helping us improve security across all areas of GM.” 

GM's Program by the Numbers

To date, GM has worked with more than 500 hackers from all over the world. Access to this caliber of researchers wouldn’t be possible without this program.

“The global community of friendly hackers brings diverse perspectives and techniques that can surface vulnerabilities faster than a security team going at it alone,” said Alex Rice, co-founder and CTO, HackerOne. “GM is the perfect example of an innovative company embracing the hacker community to surface bugs and supplement the great work their internal security team is already doing.”

Hackers as an Extension of the Security Team

GM responds to and fixes reported bugs with impressive speed and agility, including those found with any of its suppliers, making it one of the most comprehensive vulnerability disclosure programs across industries in terms of scope. How can they tackle such a tall order? GM has a broad, experienced internal security team, including full-time internal red teams. Even with such a mature security team structure, GM taps the ethical hacker community to help find what they might have missed.
 
“We’ve always approached security with a diverse set of tools in our toolbox,” said Massimilla. “Leveraging HackerOne’s relationship with the research community, and seeing firsthand the results they provide, has been extremely encouraging. Hackers have become an essential part of our security ecosystem.”
 
As cyber risks evolve, so has GM’s internal organization. Since launching the VDP as the Chief Product Cybersecurity Officer at GM, Massimilla has now taken on the role of Vice President of Global Cybersecurity. This newly formed organization merges all cybersecurity activity - both product and corporate cybersecurity - into one central organization. This organizational shift reflects the progressive mindset within GM.
 
“We are taking a holistic approach to cybersecurity at General Motors” explained Massimilla. “In today’s connected world, it’s critically important that product and corporate cybersecurity functions are aligned across all areas of the business.”

Outlook

GM is leading the automotive industry into the 21st century with a close eye on cybersecurity. According to HackerOne research, only seven of the top 50 automotive manufacturers have a way for external researchers to report vulnerabilities. Four of these seven fall under the GM brand: Buick, Cadillac, Chevrolet and GMC. Furthermore, only two of the top 50 suppliers of the automotive industry have a channel for disclosure. This may seem like a stark comparison to the digitally native technology industry, but it is progress nonetheless. GM’s VDP is setting a new standard of collaborative cybersecurity in the name of public safety. It’s not just a car company, GM is a technology company.
 
“We’re taking cybersecurity very seriously at General Motors. It’s a top priority for our company, and our most senior executives, including the CEO, fully support our organization,” said Massimilla. “We are employing strategies and programs, like our VDP with HackerOne, with the sole purpose of protecting our customers, their vehicles and their data.”
 
Stay tuned for more from GM’s security team as they prepare to launch a unique hacking challenge soon to expand their program and deepen relationships with the security community. Discover more about our security testing solutions or Contact Us today.

General Motors has been engaged with HackerOne for seven years. Here's what the team at General Motors had to say about their experience with HackerOne and the progress they'd made after two years of its Vulnerability Disclosure Program.

Beiersdorf’s cybersecurity team is always thinking about the best ways to secure their public-facing assets. As their digital footprint increases, they add new processes and systems to align with cybersecurity best practices and look for new ways to arm their internal teams with insights and data to help harden their attack surface management. 

After a year of running a private Vulnerability Disclosure Program (VDP), Beiersdorf is announcing the launch of its public VDP. HackerOne met with Kai Widua, Chief Information Security Officer (CISO) at Beiersdorf, to learn about the challenges they face in retail security. 

Read on to hear Kai’s thoughts on how HackerOne helps Beiersdorf be proactive about cybersecurity and his advice on starting a VDP and taking it public. 

Tell us who you are.

I’m Kai Widua, CISO at Beiersdorf. I’m responsible for the Information Security in Beiersdorf globally. In this role, I deal with proactive and detective requirements to protect customer, affiliate, and employee data in cyberspace.

Tell us a bit about Beiersdorf and the cybersecurity challenges you face. 

Beiersdorf started to leverage the potential of cloud computing services before many other organizations. We have a standardized, centralized, managed IT program with many partners and systems integrated into our digital life, which increases our digital footprint and creates a broad attack surface. The adaption of implemented security policies and controls is a challenge, as we work to ensure information security is an enabler and not a “hinderer.”

How does your security team operate?  

The digital experts in the DevOps teams are challenged to use an agile approach to increase development speed and shorten release cycles while also fulfilling security requirements and maintaining code hygiene. Beiersdorf’s cybersecurity department is responsible for the consultant and gatekeeper roles to help us close potential gaps in our attack surface by informing other departments about potential risks, new attack vectors,  and techniques to minimize overall organizational risk. 

What made you decide to launch a public VDP?

Our Web Development Team has a tough job, and they do it very well. As an additional layer of defense, we decided to use the global knowledge of ethical hackers via a VDP, so we could be informed even when it is actually too late (meaning a vulnerability is published) but still early enough to identify and remediate the vulnerability before a malicious actor might find it. 

How does a VDP help proactively prevent issues? 

By adding a VDP, we not only support our Web Development Team’s tremendous efforts, but we also take proactive steps to minimize our risk. The VDP allows global security experts to review our public assets and give us deeper knowledge of our attack surface, which we can use to better inform our team and create more robust defenses via internal processes. 

How does digital transformation drive your cybersecurity strategy? 

Digital transformation certainly speeds up deployments, but it also increases the number of systems and sources we use. Minimum viable products (MVPs) are a specific lever to speed up time-to-market but can threaten the needed protection level. A VDP is a perfect and obligatory complement to our digital transformation journey, giving us an additional layer of defense.

What happens after a hacker finds a bug? 

We see a lot of commodity attacks against our systems. But sometimes, we see very creative ways hackers have tricked our system landscape. This is a valuable source of intelligence apart from OWASP or other frameworks. These unusual findings make the difference for our DevOps teams and can be adapted to all other systems we operate. 

What advice would you give to other CISOs planning to start a VDP?

Start small. Get yourself and the teams familiar with how researchers approach the program and the triage process. This will support the ramp-up and ensure you’re going as fast as you can adequately manage. We had an excellent learning experience with our private program, which helped us be confident and prepared before going public.

--

Click here for more information about Vulnerability Disclosure Programs.

Beiersdorf, a worldwide leader in skincare, is one of many organizations rapidly expanding IT initiatives to help drive digital transformation and proactive security practices. In partnership with its IT affiliate organization Beiersdorf Shared Services (BSS), security initiatives are always top of mind for Beiersdorf. And for a good reason, as their global presence includes consumer and manufacturing business segments in 200+ global markets, with more than 170 affiliate partners and over 20,000 employees. 

Learn more about the DoD DIB-VDP Pilot here.

When the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP) 12-month Pilot concluded, HackerOne sat down with the pilot's collaborating agencies and the ethical hackers who worked on the pilot. The discussion centered on pilot results, the most exciting vulnerabilities that surfaced, and learning why the federal government continues to engage hackers to secure the digital assets of the United States government.

John Deere’s CISO, James Johnson, and his team are committed to ensuring that the people who depend on John Deere for their livelihood rest easy knowing their information and products are secure. To help fortify security defenses for their customers, dealers, suppliers, and employees, John Deere recently launched a public Vulnerability Disclosure Program (VDP) with HackerOne.

Read on to learn why James and the John Deere security team leverage ethical hackers to help identify security gaps and increase their product and data security.

Q: Tell us who you are and your role at John Deere.

I’m James Johnson, John Deere's Chief Information Security Officer. I joined John Deere about seven years ago to lead the security organization and build a security-focused culture.

Q: Tell us a bit about John Deere and why cybersecurity is so important.

James: Integrity, Quality, Commitment, and Innovation are the core values that define John Deere, and cybersecurity is critical to these core values.

There are a lot of people depending on John Deere – from our customers, dealers, and suppliers, to our employees around the world. Cybersecurity is so important because we need to protect our data and systems and avoid business disruption to live up to John Deere’s role to meet the world’s food and infrastructure needs. We need to live up to the promises we have made to our customers, dealers, suppliers, and employees, and that’s something that motivates our security team members every day.

Q: Tell us about the security challenges you faced that led you to HackerOne.

James: At John Deere, like many other companies, we are integrating more technologies, increasing connectivity, and producing more data than ever. This digital evolution has brought on more challenges within cybersecurity, and our teams have risen to the occasion. As we evolved our vulnerability management process, we realized a missing component was an easy way for an external security researcher to report an issue. HackerOne has helped fill that gap, helping us further mature our approach to vulnerability management.

Q: What made you decide to launch a public VDP?

James: We followed the advice from HackerOne, starting with a private program then transitioning to a public program after working out our internal processes. Before taking the program public, it was important that we knew we would be able to respond to the researchers participating in our program in a timely manner and create a good experience for them. Once we were confident in our processes, it was a collaborative discussion between our John Deere team and the HackerOne representatives that made us decide to go public.

Q: How have ethical hackers helped you reduce risk?

James: The speed at which new vulnerabilities can arise is challenging for any company to keep up with. The researchers we have worked with are subject matter experts on these vulnerabilities and have found ways to quickly test and report them. Their skill and talent help us reduce risk because speed matters. We want vulnerabilities to be found and fixed before they can be exploited, and we’ve been able to accomplish this with help from researchers.

Q: How do you leverage insights throughout the software development life cycle?

James: Over the past several years, we have developed a Security by Design program, which has instilled a security mindset within the development community at John Deere. Security by Design combines people, processes, and technologies to create a culture of security throughout the software development life cycle. Security professionals sit on teams with developers to secure code, educate, and share best practices. We are able to learn from our VDP and bring those examples as learning opportunities directly to development teams through the Security by Design program.

Q: What advice would you give to other CISOs planning to start a VDP?

James: Having a VDP is a core component to a robust vulnerability management program. Cultivating a positive relationship with the researcher community is incredibly valuable to your overall security program.

Q: What about advice for program leads planning to start a VDP?

James: Start by benchmarking with other companies and hearing their lessons learned.  Make sure your internal teams are ready to handle the submissions from your VDP, will provide a timely response to researchers, and will give them a positive experience with your program.

Q: What will long-term success look like?

James: We are excited to continue to learn from our VDP, and we want to keep maturing the program. We want our program to attract the best researchers and give them a great experience working with our teams. To this end, we are exploring offering bounties in the future.

--

Click here for more information about Vulnerability Disclosure Programs.

To help fortify security defenses for their customers, dealers, suppliers, and employees, John Deere recently launched a public Vulnerability Disclosure Program (VDP) with HackerOne.

HackerOne met with James Johnson, Chief Information Security Officer (CISO) at John Deere, to learn why his security team works with ethical hackers to help identify security gaps and increase their product and data security.

Maintaining the security of the digital assets within the Defense Industrial Base (DIB) contractor networks helps defend the United States of America. For the last nine months, Department of Defense (DOD) agencies Defense Cyber Crime Center (DC3) and Defense Counterintelligence and Security Agency (DCSA) have worked together with ethical hackers from around the world to improve the security of critical assets within DIB vendors and contractors.

With 39 DIB companies signed up in the first nine months (and more signing up in the final three-month stretch of the pilot), ethical hackers have a chance to test their skills on various government agencies’ cybersecurity strategies.  “Hackers consistently bring new levels of creativity to potential threats to our DIB companies’ attack surface. Every vulnerability uncovered is another step towards safeguarding our government and teaches us critical new ways to improve our cybersecurity,” says Melissa Vice, VDP Interim Director, DC3.

For the DIB companies, the pilot offers a chance to harden their attack surface and be proactive in their security strategy. 

With only three months left in the pilot, DC3 shared why new DIB companies are joining the pilot and hear why hackers are a critical partner for the DOD. 

Defense Industrial Base companies: There are three months left to sign up for this added layer of defense. Don’t miss out on working with the best ethical hackers the world has to offer. 

Hackers: Bring your expertise to the US Government and the DIB-VDP Pilot to help ensure we’re guarding the most valued network information to the best of our ability. Join the DIB-VDP Pilot.

—

Read more on the history of the DIB-VDP Pilot here. 

Click here for more information about our Vulnerability Disclosure Program.

With three months left in the 12-month pilot with the Department of Defense’s Defense Industrial Base Vulnerability Disclosure Pilot (DOD DIB-VDP Pilot), HackerOne sat down with DC3 to discuss why new DIB companies are joining the pilot and hear why hackers are a critical partner for the DOD.

Read more on this history of the DOD DIB-VDP pilot here

Six months into the 12-month pilot with the Department of Defense’s Defense Industrial Base Vulnerability Disclosure Pilot (DOD DIB-VDP Pilot), HackerOne sat down with key stakeholders from the DIB-VDP Pilot to discuss the program’s success to date, the Federal Government’s strategy for working with hackers, and to hear about some of the most impactful vulnerabilities discovered to date.

Who is DC3’s DCISE?

Krystal Covey: The Defense Collaborative Information Sharing Environment (DCISE) is the operational hub for the DOD’s DIB Cybersecurity (CS) Program offering no-cost cybersecurity services to Cleared Defense Contractors (CDCs). In addition, DCISE is currently piloting services to select non-CDCs.* 

What is the DIB Cybersecurity (CS) mission? 

Krystal Covey: The mission of the DIB CS Program is to enhance and supplement the capabilities of Participants to safeguard DOD unclassified information that resides on or transits DIB unclassified information systems.

How does DCISE support the DIB CS mission?

Krystal Covey: DCISE protects DOD information on DIB unclassified networks by fostering a collaborative information-sharing environment and delivering DIB-focused cybersecurity services and resources. DCISE is the conduit for reporting DIB cyber incidents to the DOD while simultaneously providing awareness across the US government of cybersecurity threats and trends that impact the DIB. DCISE develops and shares actionable threat products and performs cyber analysis, diagnostics, and consultation for the DIB.** 

How many DIB companies are part of the DIB CS Program?

Krystal Covey: We have 800+ Partners with signed Framework Agreements within the DIB CS Voluntary Program. 

What services does DCISE offer DIB Partners?

Krystal Covey: We offer various cyber threat products based on several sources, including Partner incident submissions, OSINT, DOD, and other USG reporting that provide a complete understanding of known or potential threats to unclassified DOD information on or transiting DIB systems and networks. Some statistics on DCISE analysis of nation-state Advanced Persistent Threat (APT) DIB cyber events since February 2008:

• Performed 76,628 hours of no-cost forensics and malware analysis
• Published 12,362 cyber reports
• Shared 507,483 actionable, non-attributional indicators

DCISE service offerings include internal/external customer services, outreach, operational metrics, process improvement, quality assurance, quality control, and organizational training. DCISE builds and manages relationships with many DIB companies and USG stakeholders and drives special projects that improve customer experience. Outreach activities include web conferences, Technical Exchanges, Regional Partner Exchanges, virtual events, and facilitating Analyst-to-Analyst and Business-to-Business Exchanges.

Additionally, DCISE research supports DIB Partners in protecting DOD information through numerous services. These services are piloted to the DIB Partnership and range from services to technologies, and are intended to encompass all concepts, technologies, and processes related to cybersecurity.

What are some of DCISE’s expanded pilots and services?

Cyber Resilience Analysis (CRA): CRAs are holistic assessments of a company’s technical controls and processes, from how they keep their security controls updated to how they document the process. The assessment consists of more than 300 questions across ten security domains to assess a company’s cyber resilience.

Adversary Emulation: A form of penetration testing that not only uses a standard playbook but also leverages adversarial tactics, techniques, and procedures (TTPs) to test security controls. These adversarial TTPs are determined by identifying the most likely adversary to target a company based on the technology the company develops.

Krystal Ball: A tool that uses publicly available information to passively identify vulnerabilities that a DIB Partner has and the threats that may leverage those vulnerabilities. Since it is openly available, this is the same information that any adversary would be able to discover about the same company.

Why is DCISE participating in the DIB-VDP Pilot?

Krystal Covey: There are thousands of CDCs that support the DOD, with varying sizes and resources. The DIB CS program has seen a steady increase of smaller companies that require added services to protect their assets. DCISE has resolved to grow with the Partnership and offer various solutions for its diverse DIB Partner makeup. The DIB-VDP Pilot is a great opportunity to demonstrate how DIB assets can be actively protected under a VDP.

What are the benefits to the DCSA participants in the DIB-VDP Pilot?

Ashley Smith: DCSA benefits because companies participating in the pilot can learn about weaknesses in their networks and receive no-cost recommendations for correcting vulnerabilities.

What if the system weakness or vulnerability is outside the scope and asset list provided?

Ashley Smith: If something outside the scope of the pilot is discovered, a DIB-VDP Pilot analyst will contact the participant to determine how they’d like to proceed. Participants have an option to expand their scope and asset list.

Who can participate in the DIB-VDP Pilot program? 

Ashley Smith: The DIB-VDP Pilot program is open to any organization, both cleared and unclear. ​​The Pilot Participation Request Form is here. 

Anything else you’d like to share? 

Ashley Smith: One of the primary missions of DCSA is to provide critical technology protection to the DIB. Given the recent increase in cyber incidents affecting the DIB, DCSA views this pilot as a promising way to identify and stop attempts at stealing our Nation’s secrets.

*DCISE is also the reporting and analysis hub for the implementation of Title 10 USC Sections 391 and 393 regarding the reporting of certain types of cyber incidents by CDCs and the related Defense Federal Acquisition Regulation Supplement (DFARS 252.204- 7012).

**as outlined in Title 32 Code of Federal Regulations (CFR) Part 236, and serves as the single focal point for receiving all mandatory cyber incident reports affecting unclassified networks while protecting Controlled Unclassified Information (CUI) in accordance with the DFARS clause 252.204-7012. 

Read this blog to see what happened in the first 60 days of the DIB-VDP Pilot.

--

To learn more about the benefits of a vulnerability disclosure program, check out HackerOne Response

Four months into the 12-month pilot, nearly 200 hackers within the Department of Defense’s Defense Industrial Base Vulnerability Disclosure Program (DOD DIB-VDP) have identified 649 valid vulnerabilities. HackerOne recently sat down with Krystal Covey, DCISE Director, and Ashley Smith, DCSA Counterintelligence Directorate, to learn about their goals for engaging with hackers to improve national security. Read on to learn how the Defense Cyber Crime Center (DC3) and Defense Counterintelligence and Security Agency (DCSA) teams are improving the security of critical assets within DIB vendors and contractors and the mission that’s driving this program. 

On 20 January, HackerOne’s CEO, Marten Mickos, sat down for a chat with European hacker, Julien Ahrens a.k.a @mrtuxracer, and Teemu Ylhäisi, CISO at OP Financial Group. 

Teemu Ylhäisi, CISO at OP Financial Group. 

OP Financial Group is one of the largest financial institutions in Finland. The group offers retail and commercial banking services as well as insurance services.

Julien Ahrens a.k.a @mrtuxracer, hacker

Julien is a full time hacker based in Northern Germany, Julien focuses his hacking efforts mainly on mid-sized  companies, since he has strong beliefs about the importance of securing the sensitive data that such companies hold.He regularly blogs about his projects and is an advocate for increasing hacker-powered solutions in Germany.  

The discussion ranged from the recent SolarWinds attacks to the best way to prevent phishing. Here are our top takeaways from the webinar:

Transparency is the future of security

The old traditions of securing the corporate perimeter are no longer sufficient when the corporate network has now expanded to millions of domestic networks. We need new solutions, based on collaboration and transparency - after all, it is through sharing information that we can best prepare and protect against everything from software vulnerabilities to nation state actors.

Teemu: “Transparency and trust are a key part of my philosophy. If your security team isn’t open with your organization then the company is not going to understand their worth. Our corporate culture values collaboration and in the Nordics there is a tradition of sharing information pertaining to security within the financial services industry. We all want to help make each other and our industry safer. I am very open with the business about what the security team is doing, and call out the business divisions that are supporting our overall security goal and initiatives. It spotlights our partners and introduces a little friendly competition between divisions.

Julien: “When dealing with hackers, being transparent about your vulnerability management process goes a long way to build trust. I know many businesses are concerned about how much information they can share but hackers need to have enough details to be able to understand the process and the fix.” 

Security teams are rebranding as enablers 

Security teams are increasingly recognising that encouragement and education are more effective at reducing risk and fostering collaboration than blocking projects or tools.

Teemu: “I don’t want to be ‘Mr. No’. When I joined OP, I set the expectations that I would not be a blocker to innovation or people just doing their work. Working with developers and engineers to uncover security risk earlier in the SDLC is more powerful than banning a tool altogether. It might be more challenging, but the payoff is much higher for the organization. Everyone at OP  is responsible for security, from the security team to the staff who diligently report phishing attacks. 

Speed is your best defense

It was universally agreed that humans are still the best mechanism for detecting security threats.

Teemu: “I disagree with the idea that cyber criminals have to be successful just once, and defense teams have to be successful 100% of the time. Detection capability and speedy reaction to incidents is key. When a company is targeted by criminals, those criminals have to be successful in hiding every action; if defense notices a single aberration then they get the lead and can start to unravel the operation. The mean time for detecting breach is about 6 months to a year; this is too long, you need to detect it within hours and, if you have the ability to work with that time scale, then you’re in a good position.”

Julien: “I’ve had experiences where I’ve been hacking on a program and their incident response teams have been tracking my actions in real time. There are always flaws in technical solutions that hackers can get around but if your defense teams are fast then they can make a hacker’s and, more importantly, an attacker’s life very difficult!” 

Disclosure culture is coming 

The US government has already taken steps to mandate Vulnerability Disclosure Programs for federal agencies and our panellists think it’s only a matter of time before the trend spreads, despite resistance in conservative organizations. 

Julien: “The most ‘professional hackers’ are more likely to be attracted to bounty programs but VDP’s are a brilliant way to get reports on the things your security team doesn’t know about. However, there is still more education to be done in Europe. I know of an instance where a researcher had a legal case mounted because the company didn’t understand vulnerability disclosure and saw it as a threat. We’re the good guys so don’t scare us off!”

Marten: “There is fear. But, with the U.S. mandating VDP for federal agencies and European countries starting to suggest it as best practice, there will be a time in the near future when there will be overwhelming evidence of the benefits of responsible disclosure. And that’s when we’ll see the real shift in adoption.” 

Compliance needs hackers 

Compliance and security don’t need to be mutually exclusive. If security reviews required for compliance are not actually spotlighting issues and improving security, then you aren't maximizing your impact.

Teemu: “I know it’s something that really works for other organizations, so I’m planning to get to a point where we can demonstrate compliance for ongoing auditory compliance requirements by running an extensive bug bounty program. We already do pentesting and red team exercises but it is hard to cover everything and stay up to date. If we had a good group of trusted hackers on each system, each would get the attention it deserves and we would also be able to find out which applications have the most soft spots and so where to focus our efforts.

Listen back to the full conversation here.

2020 has been an important year for VDP standardization worldwide. Earlier in the year, the U.S. saw the release of the Cybersecurity and Infrastructure Security Agency (CISA)’s Binding Operational Directive 20-01, NIST SP 800-53 Revision 5, and the Internet of Things Cybersecurity Bill, all of which positioned vulnerability disclosure policies (VDPs) as a crucial part of any cybersecurity strategy.

Now, the Australian Cyber Security Centre (ACSC) has released new guidelines recommending VDPs “to assist with the secure development and maintenance of products and services.” These guidelines were published in the Australian Government Information Security Manual.

How does it impact your org? What does it mean for the future of cybersecurity? Here’s what you need to know.

The Guidelines

The ACSC manual covers everything from cybersecurity principles and roles to cable patching and media disposal. The section related to VDPs provides a background on the security benefits of working with external researchers. It also offers a guide to building your own VDP process to effectively “receive, verify, resolve and report on security vulnerabilities.” 

ACSC, like HackerOne, recommends including the following information in every VDP:  

• the purpose of the vulnerability disclosure program
• the types of security research that are allowed
• the types of security research that are not allowed
• how to report potential security vulnerabilities
• the actions that will be taken on receiving notification of potential security vulnerabilities and indicative timeframes for these actions
• any expectations regarding the public disclosure of verified security vulnerabilities
• any recognition finders of verified security vulnerabilities will receive

The Path Forward

The ACSC has joined a legion of governments, agencies, and independent organizations recommending or mandating that businesses implement a VDP. However, many businesses have yet to heed these recommendations. According to our research, hackers often find bugs on organizations’ websites -- but 25% of the time, they have no channel for alerting the organization that the bug exists. Even more worrisome, 82% of the Forbes Global 2000 do not have a known policy for vulnerability disclosure. 

Organizations that do not have a VDP are missing out on crucial information about their own assets and systems. The bottom line is that all assets contain vulnerabilities, but only some businesses are taking the steps necessary to fix them.

It’s only a matter of time before every government mandates vulnerability disclosure policies. Fortunately, there is a clear path forward. HackerOne has partnered with organizations in every vertical to create a VDP that’s customized to their business. Rather than simply checking a compliance box, we help you integrate a potentially cumbersome, resource-draining process into your security strategy -- and turn compliance into a strategic differentiator.

To get started, read more about HackerOne Response or chat with us today.

Adobe, best known for its multimedia and creativity software product line, serves millions of customers globally who trust them to deliver secure products and services. With a commitment to keeping their customer’s data and experience safe, Adobe first launched their Vulnerability Disclosure Program with HackerOne in 2015. Since then, the team has continued to expand its program to improve security across its suite of products. 

To celebrate five years with HackerOne, we sat down with Adobe’s Senior Security Program Manager Pieter Ockers to discuss how their program has evolved over the last five years and the role that hacker-powered security, both bug bounties and response programs, plays into their overall security strategy. 

Q. How do ethical hackers fit into Adobe’s comprehensive security strategy?  
A: Adobe’s primary security priority is to help keep our customer’s data and experiences safe. We do this by building security into our product development and operational processes at the onset, and automating as many processes as possible. One of the main goals for the security team is to make secure development and operations as easy as possible for product teams and the company. Through our vulnerability disclosure program, primarily hosted on HackerOne, and regular penetration tests, the ethical hacker community helps augment our security team by enabling us to open up our products and services for review by a diverse population of security experts with many different perspectives and backgrounds. We think this added level of expertise and perspective helps us make our products better and safer for our users.

Q. Can you share a little bit about why you chose HackerOne? 
A: Our initial motivation to use HackerOne’s platform was driven by the desire to migrate away from the previous vulnerability submission workflow. At the time, we were using a legacy web form to receive vulnerability submissions. This technology lacked many of the features that the HackerOne platform offered. We found HackerOne’s platform was best optimized for engagement with security researchers, and it was an easy decision to adopt their platform to execute on this program.

Once on the platform, we were able to scale our Product Security Incident Response Team (PSIRT) by using HackerOne’s triage services to better manage the increasing volume of bug submissions. Over time, we have also implemented incremental improvements through leveraging HackerOne’s API, integrating the platform into Adobe’s workflows. This allowed us to scale our vulnerability disclosure program along with the growth of Adobe.

Q. Adobe leverages hacker-powered security and the hacker community in a few different ways to satisfy various security needs. How has Adobe scaled and evolved programs over the years?
A: Adobe interfaces with the security community through a spectrum of engagement models, including (but not limited to):

• Vulnerability Disclosure Program 
• Crowdsourced Pentests
• Magento Bug Bounty Program

Code reviews and pentests
Before Adobe introduces a major upgrade or new product, feature or online service offering, a code review and pentest is often performed by an external vendor. These traditional third-party reviews provide an additional layer of assurance to complement our internal security assessments and static code analysis that are part of our Secure Product Lifecycle (SPLC).
 
Vulnerability Disclosure Program 
PSIRT is responsible for Adobe’s vulnerability disclosure program, and typically responds first to the security community’s submissions of vulnerabilities related to Adobe products, online services or web properties. Adobe launched its vulnerability disclosure program on HackerOne in August 2015. The HackerOne platform leveraged by Adobe offers researchers the opportunity to build a reputation and learn from others in the community, all while allowing Adobe to streamline workflows and scale resources establishing a single intake channel for vulnerabilities. 
 
Crowdsourced pentests 
To benefit from a larger pool of security researchers, Adobe also uses crowdsourced pentests in tightly scoped, time-bound engagements involving an elite pool of pentesters targeting a single service offering or web application. This approach has helped supplement the traditional pentests against our online services by increasing code coverage and testing techniques. 

Magento Bug Bounty Program
Adobe acquired Magento in 2018, and migrated its bug bounty program to HackerOne in early 2019. Our primary goal for this bounty program is to incentivize researchers to find and report bugs that represent systemic risks with the platform, and this program has successfully captured the expertise of the Magento community to help us harden the Magento platform. 

Q. Measuring the success of hacker-powered security can be tough as you’re often trying to measure what doesn’t happen. How do you measure return on investment of your security initiatives? 
A. Our customers expect to have a secure experience when using Adobe products and services, and investing in our security initiatives allows us to better serve our customers. For PSIRT initiatives we make every effort to keep our products safe and our customers happy. We strive to provide transparency and quick, helpful responses to external researchers, while keeping a pulse on media and social sentiment.

Q. What advice or lessons learned would you share for companies looking to consolidate vendors and scale their programs? 
A. The key to a successful experience with the security research community is to start a vulnerability disclosure program with limited scope. Researchers expect, as they should, that vendors answer questions and react to submissions promptly. Launching a program before you have the capacity to handle the submissions could result in a poor experience for external researchers. 

Once you have developed and tested your playbooks with a limited vulnerability disclosure program, you can expand incrementally to bigger and broader scoped programs seamlessly.  

Q. Looking forward to the next five years, how do you see hacker-powered security and the industry more broadly evolving?
A. I believe this rapid shift to working remotely will open up more opportunities for remote, crowdsourced workers to play an even bigger role in contributing to the development of secure software.
I am optimistic that as the hacker and research community continues to grow in size and skill, they will surface complex vulnerabilities faster than any automated tool could (as well as continuing to proactively offer advice to developers and companies).  

To learn more about the Adobe program and get hacking, visit
https://hackerone.com/adobe.