ConnectWise has introduced a bug bounty program aimed at strengthening the security of its managed services software suite by rewarding people for reporting vulnerabilities.
“It’s crowdsourcing in a sense,” says Tom Greco, director of information security at ConnectWise. “It helps us to identify things that might not otherwise be identified in our controls.”
Weaknesses exposed by the program will join others identified by ConnectWise employees and partners in a remediation queue of issues prioritized by urgency and potential for harm.
The new venture is being delivered in partnership with HackerOne, a security services provider backed by a community of “what hat” hackers. The company’s client base includes Fortune 500 companies and the U.S. Department of Defense. “We wanted to partner with somebody who has a proven ability to manage an enterprise-class program,” Greco says. “HackerOne is definitely the top in the field.”
The company offers consultative advice that ConnectWise plans to draw on in the future as well. “Bug bounty is not just a one and done,” Greco notes. “This is something that evolves as your company evolves and as your products evolve, and [HackerOne] really demonstrated the ability to guide us through that evolution and make sure that every step of the way we’re doing things the right way.”
HackerOne members who identify weaknesses in ConnectWise products will receive payment in varying amounts based on the importance of the discovery. The size of those bounties are designed to be rich enough to attract the attention of hackers who make all or part of their living finding bugs.
“We follow industry best practices as well as HackerOne’s guidance,” Greco says. “The most significant type of issue might pay out a couple of thousand dollars.”
Like most HackerOne bounty programs, the ConnectWise offering is open only to an invited list of hackers with appropriate skills and an established reputation. Participants in the program have already submitted multiple bug reports in the few weeks since the program’s previously unpublicized launch.
“In the short time that it’s been active, we’ve generated some value out of it already,” Greco says.
Bug bounties are part of ConnectWise’s “shift-left” security initiative, a multi-pronged effort aimed at enhancing the security of the company’s software. Other measures in that campaign include increased threat modeling early in the product design process, using automated coding tools during development to spot potential vulnerabilities in real time, and adopting a new application security architecture based on standards from the Open Web Application Security Project, a non-profit software security foundation.
“The bug bounty complements all of those internal controls by getting us a real-world look at systems in the production environment from a population of ethical hackers that have various sets and levels of capability,” Greco says.
Introduced early this year, shift-left is a core part of ConnectWise’s answer to escalating threat activity against RMM, remote access, and other widely used managed services tools that attackers can employ to compromise multiple end user accounts.
ConnectWise was directly impacted by that phenomenon, which inspired a security warning from the federal government two years ago, in January when researchers at Bishop Fox reported eight vulnerabilities in the ConnectWise Control remote access system that were later validated by threat hunting vendor Huntress Labs.