ConnectWise has launched a bug bounty program in partnership with HackerOne.
Why do we care?
My first care is that I criticized them for not having one, so this is recognition that the status has changed.
This is what grown up companies are doing. Solarwinds also has a program with HackerOne. Kaseya explicitly does not have a bounty program, but does have a reporting mechanism. I’ve included a link in the show notes.
My big takeaway here is that the checklist of things you should be asking your potential vendors – or existing ones – needs to include a whole lot more about their security procedures.
Why? As we learned in the previous story… you are for sale, and they are coming for you via your toolset.
Source: Channel E2E