ConnectWise Bug Bounty Program Invites Hackers to Hunt Security Flaws

ConnectWise has launched a bug bounty program to quickly identify and remediate bugs and security vulnerabilities in its software.

In July, an MSP discovered two critical vulnerabilities in ConnectWise Automate that posed threats to MSPs and their customers if successfully exploited by hackers. Before that, multiple security flaws were found in ConnectWise Control.

The ConnectWise bug bounty program supplements the company’s internal vulnerability management strategy. ConnectWise is partnering with HackerOne, a hacker-powered security platform, to host the program.

A bug bounty program incentivizes security research by offering money for security vulnerabilities submitted. Accepting vulnerability reports from third parties helps organizations surface and resolve issues quickly, minimizing the chance for exploitation.

The ConnectWise bug bounty program is private. That means it is open only to invited hackers via the HackerOne platform.

Key Cybersecurity Strategies

Tom Greco is ConnectWise’s director of information security.

ConnectWise’s Tom Greco

“I joined ConnectWise about 18 months ago, and since then two of our key strategies have been to improve application security across the entire life cycle [and] be more transparent and improve our reputation for security in the marketplace,” he said. “The bug bounty program respects both strategies. The bug bounty complements our existing application security controls. It gives us the depth and breadth of HackerOne’s community offering a range of skills and experience, as well as varying perspectives on the products which could illuminate things that might be missed in our own testing.”

ConnectWise will address all confirmed vulnerabilities discovered through the program. It also will remediate and disclose issues based on severity.

Responsible disclosures will continue to be delivered through the ConnectWise Trust site. It’s the primary source of information on a number of security, compliance and privacy topics. It also houses ConnectWise’s security bulletins and alerts, critical patches and updates.

“Our goal is to provide a real-world scenario for the testing of our products,” Greco said. “The bug bounty program helps us identify issues, connects us to our community and helps us to be more transparent around the security of our products.

Bug Bounty Programs Work

Alex Rice is HackerOne’s co-founder and CTO.

HackerOne’s Alex Rice

“Powered by a community of over three-quarters of a million hackers, HackerOne has helped over 2,000 customer programs find over 181,000 valid vulnerabilities in digital assets,” he said. “In total, hackers have earned over $100 million in return for these security findings. The business value placed on each found vulnerability is, on average, $979. That’s a small price to pay compared with the legal, brand and engineering impact of a security breach, which the Ponemon Institute and IBM Security estimate to be $3.86 million.”

Against a backdrop of unparalleled obstacles, security leaders have gained newfound appreciation for bug bounty and vulnerability disclosure, Rice said. A pay-for-results approach is more justifiable under tightened budgets.

“As a result of the challenges posed by COVID-19, 30% of security leaders say they are more open to accepting vulnerability reports from third-party researchers about information security issues,” he said. “And hackers are stepping up.”

Back in March, ConnectWise outlined some of the other improvements specifically around application security. Those include improvements in developer security training, application security standards, and increasing the quality and quantity of its testing.

“All of these initiatives are progressing as planned,” Greco said.