Sergey Nivens - Fotolia

Most infosec pros would trust hacker-tested products

Information security professionals are more likely to trust a product or company tested by hackers and most would respond to security reports from this community, a survey has revealed

Almost 80% of information security professionals consider a security company or product more trustworthy if it has been tested by the hacker or security research community, a survey shows.

“One of the biggest misconceptions about digital crime is the view that hackers and cyber criminals are the same,” said Laurie Mercer, security engineer at hacker-powered security platform HackerOne.

“Hackers are skilled individuals who are curious and enjoy challenges, while cyber criminals use the internet as a platform to commit crime.”

Hackers play an important role in keeping the internet safe by using their creativity and intelligence to find complex security flaws that are often missed by traditional methods, said Mercer. “It is encouraging to see the perception of the broader security community shifting towards positivity,” he said.

The poll, of more than 250 attendees of Infosecurity Europe 2018 in London by HackerOne, also revealed that most would respond to reports from the research and hacker community.

But although 63% of respondents said their organisations would respond to a vulnerability report from an external researcher or hacker, only 51% said they had a process in place to receive such reports.

However, many organisations still neglect to protect their customers from unknown vulnerabilities with help from the hacker community, with 21% of respondents saying their organisation would not respond and 16% were not sure.

“There is no such thing as a 100% secure system,” said Mercer. “Having a vulnerability disclosure policy in place is a critical part of an organisation’s security architecture. Not only does it provide external security researchers and hackers with a route to report security vulnerabilities in a clear and formalised way, but it also outlines an internal process to ensure these reports are addressed and never ignored.”

Finding and eradicating vulnerabilities is an important aspect of cyber security, according to Rod Rosenstein, US deputy attorney general.

Read more about responsible disclosure

  • Majority of security professionals favour shorter vulnerability disclosure deadline.
  • Google calls out Microsoft for failing to fix reported flaw.
  • Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
  • Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
  • Is 90 days enough time for software suppliers to address vulnerabilities?

“All companies should consider promulgating a vulnerability disclosure policy – that is, a public invitation for white-hat security researchers to report vulnerabilities,” he said at the Global Cyber Security Summit in London in October 2017.

“The US Department of Defense runs such a programme, which has been very successful in finding and solving problems before they turn into crises,” he said.

According to security researcher Scott Helme, there is a need for suppliers to interact with the security community to get feedback on their products before launch to ensure they have not missed any vulnerabilities.

He told Computer Weekly: “While some of the larger security suppliers are interacting with the security research community through bug bounty programmes, many remain hostile to reports of vulnerabilities in their products by security researchers.”

Read more on Hackers and cybercrime prevention