In the past, researchers who found weaknesses faced limited channels to report them and were often hesitant to do so due to the risk of committing a crime (e.g. computer misuse or abuse acts). However, with a Bug Bounty Program, researchers are authorized and have a “Safe Harbour” to report weaknesses, enabling them to improve the cybersecurity maturity of a system, platform, or product. Without bug bounty programs, researchers may have risked reporting vulnerabilities in good faith or sold them on the black market, leaving users exposed to risk. But now, companies can tap into a talent pool of security researchers in a structured and safe way, thanks to bug bounty programs. In this article, we will look at the current initiatives at SMG and how it is being rolled out to improve the cybersecurity of our employees, and customers.
Integrating Different Types of Security Testing
At SMG we don’t just want to talk about cybersecurity – we take action. Our bug bounty programs are actively engaging with over 40 security researchers to hunt down weaknesses across our platforms. With each program assigned its own program manager, issues are quickly identified, addressed, and rewarded according to our internal processes and guidelines. While some companies rely solely on traditional penetrations tests (these are usually scoped, and have a limited time window when they happen, which is quite limiting), we recognise that bug bounty programs offer a more “freestyle” approach that takes full advantage of individual researchers’ unique skillsets.
The Security Resilience Lifecycle
We have found that each type of security testing uncovers different aspects of the threat landscape, so we have created the Security Resilience Lifecycle. This automated process feeds the results of all types of security testing to one another to provide a complete picture of our systems’ cybersecurity posture. Our commitment to comprehensive cybersecurity ensures that we stay ahead of the curve, and our employees and customers can trust that we are constantly innovating to protect their data.
SMG’s Ongoing Investment in Cybersecurity
Our number one priority is the safety of our customers and their data, and protecting our systems and platforms is a prerequisite to achieving this goal. To help manage the inherent risks of cybersecurity, we launched two new bug bounty programs last year, which capture an essential aspect of the cybersecurity resilience life cycle. We are planning to launch a few more programs this year. A bug bounty program is not just a one-time event but continues indefinitely. In the last year alone, we have distributed considerable rewards to researchers across four programs, and this has significantly improved the security of our systems and therefore platforms.
Bug Bounty Programs in a Nutshell
We want to thank Mostafa Abdelmoez, our Group Director of Security & Anti-Fraud (Group CISO), for spearheading this initiative, giving us first insights into the program, and keeping us up-to-date with where it is going.
Mostafa Abdelmoez, Group Director of Security & Anti-Fraud (Group CISO)