This initiative has been changing how organizations approach their systems’ cybersecurity. Previously, researchers who found weaknesses faced limited channels to report them. They were therefore often hesitant to do so due to the risk of committing a crime (e.g. computer misuse or abuse acts). However, with a Bug Bounty Program, researchers are authorized and have a “Safe Harbour” to report weaknesses. This enables them to improve the cybersecurity maturity of a system, platform, or product. In this article, we will look at the current initiatives at SMG. We focus on their roll-out to improve the cybersecurity of our employees, and customers.
Bug Bounty at SMG
Without bug bounty programs, researchers may have risked reporting vulnerabilities in good faith. Or worse, sold them on the black market, leaving users exposed to risk. But now, companies can tap into a talent pool of security researchers in a structured and safe way. All thanks to bug bounty programs.
At SMG we don’t just want to talk about cybersecurity – we take action. With our bug bounty programs, we are actively engaging with over 40 security researchers to hunt down weaknesses across our platforms. Each program has its own manager. As a result, issues are quickly identified, addressed, and rewarded. All of course according to our internal processes and guidelines. Although some companies rely solely on traditional penetration tests, these are usually scoped and can be quite limiting. We recognise that bug bounty programs offer a more “freestyle” approach. With this we take full advantage of individual researchers’ unique skillsets.
The Security Resilience Lifecycle
We have found that each type of security testing uncovers different aspects of the threat landscape. This is why we have created the Security Resilience Lifecycle. This automated process feeds the results of all types of security testing to one another to provide a complete picture of our systems’ cybersecurity posture. Our commitment to comprehensive cybersecurity ensures that we stay ahead of the curve, and our employees and customers can trust that we are constantly innovating to protect their data.
SMG’s Ongoing Investment in Cybersecurity
Our number one priority is the safety of our customers and their data, and protecting our systems and platforms is a prerequisite to achieving this goal. To help manage the inherent risks of cybersecurity, we launched two new bug bounty programs last year, which capture an essential aspect of the cybersecurity resilience life cycle. We are planning to launch a few more programs this year. A bug bounty program is not just a one-time event but continues indefinitely. In the last year alone, we have distributed considerable rewards to researchers across four programs, and this has significantly improved the security of our systems and therefore platforms.
Bug Bounty Programs in a Nutshell
We want to thank Mostafa Abdelmoez, our Group Director of Security & Anti-Fraud (Group CISO), for spearheading this initiative, giving us first insights into the program, and keeping us up-to-date with where it is going.