In the past, researchers who found weaknesses faced limited channels to report them and were often hesitant to do so due to the risk of committing a crime (e.g. computer misuse or abuse acts). However, with a Bug Bounty Program, researchers are authorized and have a “Safe Harbour” to report weaknesses, enabling them to improve the cybersecurity maturity of a system, platform, or product.
Without bug bounty programs, researchers may have risked reporting vulnerabilities in good faith or sold them on the black market, leaving users exposed to risk. But now, companies can tap into a talent pool of security researchers in a structured and safe way, thanks to bug bounty programs.
In this article, we will look at the current initiatives at SMG and how it is being rolled out to improve the cybersecurity of our employees, users, and customers.
Integrating Different Types of Security Testing
At SMG we don’t just want to talk about cybersecurity – we take action. Our bug bounty program is actively engaging with over 40 security researchers to hunt down vulnerabilities across all of our programs. With each program assigned its own program manager, issues are quickly identified, addressed, and rewarded according to our internal processes and guidelines. While some companies rely solely on traditional penetrations tests (these are usually scoped, and have a limited time window when they happen, which is quite limiting), we recognise that bug bounty programs offer a more “freestyle” approach that takes full advantage of individual researchers’ unique skillsets. We have found that each type of security testing uncovers different aspects of the threat landscape, so we have created the Security Resilience Lifecycle. This automated process feeds the results of all types of security testing to one another to provide a complete picture of our systems’ cybersecurity posture. Our commitment to comprehensive cybersecurity ensures that we stay ahead of the curve, and our employees and customers can trust that we are constantly innovating to protect all data.SMG’s Ongoing Investment in Cybersecurity
Our number one priority is the safety of our customers and their data, and protecting our systems and platforms is a prerequisite to achieving this goal. To help manage the inherent risks of cybersecurity, we launched two bug bounty programs in April 2021, which capture an essential aspect of the cybersecurity resilience life cycle. By inviting the security researchers mentioned above to try and attack our systems, we can identify weaknesses within them and make the necessary improvements to enhance security continuously. We are planning to launch a few more programs this year. This bug bounty program is not just a one-time event but a regular program that will continue indefinitely, and we are launching more programs every year. In the last year alone, we have distributed considerable rewards to researchers across four programs, and this has significantly improved the security of our systems and therefore platforms. We want to thank Mostafa Abdelmoez, our Group Director of Security & Anti-Fraud (Group CISO), for spearheading this initiative, giving us first insights into the program, and keeping us up-to-date with where it is going.
Mostafa Abdelmoez, Group Director of Security & Anti-Fraud (Group CISO)
