ConnectWise has introduced a bug bounty program aimed at strengthening the security of its managed services software suite by rewarding people for reporting vulnerabilities.
“It’s crowdsourcing in a sense,” says Tom Greco, director of information security at ConnectWise. “It helps us to identify things that might not otherwise be identified in our controls.”
Weaknesses exposed by the program will join others identified by ConnectWise employees and partners in a remediation queue of issues prioritized by urgency and potential for harm.
The new venture is being delivered in partnership with HackerOne, a security services provider backed by a community of “what hat” hackers. The company’s client base includes Fortune 500 companies and the U.S. Department of Defense. “We wanted to partner with somebody who has a proven ability to manage an enterprise-class program,” Greco says. “HackerOne is definitely the top in the field.”
The company offers consultative advice that ConnectWise plans to draw on in the future as well. “Bug bounty is not just a one and done,” Greco notes. “This is something that evolves as your company evolves and as your products evolve, and [HackerOne] really demonstrated the ability to guide us through that evolution and make sure that every step of the way we’re doing things the right way.”
HackerOne members who identify weaknesses in ConnectWise products will receive payment in varying amounts based on the importance of the discovery. The size of those bounties are designed to be rich enough to attract the attention of hackers who make all or part of their living finding bugs.
“We follow industry best practices as well as HackerOne’s guidance,” Greco says. “The most significant type of issue might pay out a couple of thousand dollars.”
Like most HackerOne bounty programs, the ConnectWise offering is open only to an invited list of hackers with appropriate skills and an established reputation. Participants in the program have already submitted multiple bug reports in the few weeks since the program’s previously unpublicized launch.
“In the short time that it’s been active, we’ve generated some value out of it already,” Greco says.
Bug bounties are part of ConnectWise’s “shift-left” security initiative, a multi-pronged effort aimed at enhancing the security of the company’s software. Other measures in that campaign include increased threat modeling early in the product design process, using automated coding tools during development to spot potential vulnerabilities in real time, and adopting a new application security architecture based on standards from the Open Web Application Security Project, a non-profit software security foundation.
“The bug bounty complements all of those internal controls by getting us a real-world look at systems in the production environment from a population of ethical hackers that have various sets and levels of capability,” Greco says.
Introduced early this year, shift-left is a core part of ConnectWise’s answer to escalating threat activity against RMM, remote access, and other widely used managed services tools that attackers can employ to compromise multiple end user accounts.
ConnectWise was directly impacted by that phenomenon, which inspired a security warning from the federal government two years ago, in January when researchers at Bishop Fox reported eight vulnerabilities in the ConnectWise Control remote access system that were later validated by threat hunting vendor Huntress Labs.
ConnectWise also contributed the following month to a successful effort by Huntress and managed services suite vendor Datto to prevent a hacker from selling login credentials stolen from an MSP in the eastern U.S.
Since then, ConnectWise has passed an independent SOC Type 2 security audit. Like many other vendors, however, it’s been the target of even more attacks than before as well.
“We’ve definitely seen an increase in the threat level against, of course, our remote monitoring and management and remote access systems, just as anybody else in our industry has seen,” says Greco, adding that there’s no way of knowing if the widely reported uptick in threat activity generally since the start of the coronavirus pandemic is responsible for that development or not.
ConnectWise has made security-related investments beyond shift-left this year, including efforts aimed at helping MSPs better defend themselves and their customers from cybercrime. Those have included introducing the new ConnectWise Certify training and education program, launching a cybersecurity framework for MSPs, and creating a new security-focused partner community called IT Nation Secure.
The first IT Nation Secure conference is scheduled to take place online in mid-October.