in hurry To launch, cybersecurity does not always receive the attention it deserves, and yet it is one of the first things that startups can learn – and will – go wrong.
Hackers and security researchers can be your biggest assets in keeping your startup safe. Revealing vulnerabilities and bug bounty programs are part of working with the hacker community to build a stronger, more flexible company. But these are not a replacement for security investment, which you as a growing company should not ignore.
Katie Mousuris has been in cyber circles since becoming the startup of some of the world’s largest tech companies, and helped establish the first vulnerability disclosure and bug bounty programs. Moussauris, who runs consultancy firm Luta Security, now advises companies and governments on how to talk to hackers and what needs to be done to improve their vulnerability disclosure programs.
At the TC initial stage, Moussauris explained what a startup should (and should not) do, and what should be the first priority.
Knowing the basics
A bug bounty alone is not enough, and outsourcing this process to one platform does not save you time. Moussouris outlined the basics and distinguishes between vulnerability disclosure, penetration testing, and bug bounty.
Vulnerability disclosure is the process by which you hear about vulnerabilities from outside. You digest that vulnerability internally in your organization and figure out what to do with it – what patches to make, how to prioritize that patch, and then what to release to the public [ … ] It comes down to how organizations need guidelines to handle these issues appropriately.
We have further tested penetration: Hiring professional hackers under contract [who have] A specific set of skills that matches your problem set, and you pay them. They are under an unlawful agreement (NDA) to keep your weaknesses a secret as long as you need them – perhaps forever – and you are at your leisure whether you fix those weaknesses or not. .
Finally, bug bounties are simply adding cash reward to the vulnerability disclosure programs process. (Time stamp: 3:20)