Ask HN: Do I need a bug bounty program? Feeling a bit threatened by HackerOne

[scared_of_hacks]

I got a sales email recently from someone at Hacker One and they said that "Teams who push code on a regular basis need continuous coverage on their attack surfaces. " and that, "If security is a priority for you and [COMPANY NAME], I want to make sure you and I connect."

I understand how the sales process works, but I'm kind of starting to feel after the second cold email that this is a bit mafia-like. I'm basically being told that my kneecaps are going to be bashed in by hackers if I don't respond to this sales call, at least that's how I'm reading this communique.

I was thinking a good way to respond would be to at least put something about responsible disclosure on our "Contact Us" page, and that we'd pay a bounty if someone finds something out of the ordinary. A security professional told me allowing responsible disclosure is the first step. We're a very small company though, I'm the sole developer. I know security is important, and I try to follow best practices - but has anyone else gotten these emails and felt a bit threatened?

I don't meant to insinuate that Hacker One is going to be doing hacking themselves, I'm not a conspiracy theorist. I'm just wondering how people are reacting to getting emails like this?

Thanks for any perspective.

[martenmickos]

Thanks for raising this issue.

HackerOne will NEVER threaten you or do anything to reduce your security. You can safely ignore our sales emails if that's what you want to do. We are just trying to be helpful.

But we do have the absolutely best set of programs for companies of all stripes. To start with, you can open a vulnerability disclosure program that costs you nothing. It will allow hackers to submit vulnerability reports to you. We run numerous programs of this type for startups and other companies.

Our mission is to empower the world to build a safer internet. That's it.

Marten HackerOne CEO

[scared_of_hacks]

Thank you so much Marten for your direct response!

I'm sorry if my post came out as at all harsh. I respect what you guys are doing. I just had those honest reactions to the communication I got.

Maybe putting some general pointers on getting started in emails like this for really small companies would come across as a bit less threatening? That way, you can be the guide early on, then we can become partners later when we have the scale.

Good luck with your build!

[ovi256]

If this isn't guerilla PR for HackerOne, I don't know what it is.

It's set up just the perfect way to make us answer "oh but that's just normal salesmanship and reasonable".

Well played if true.

[ParameterOne]

google trends says hackerone spiked today at 4pm on the 7 day search.

[kronos29296]

Is this the power of Hackernews I wonder? If so I am impressed.

[Kpourdeilami]

Sometimes when a link makes it to the front page of HN, the website goes down due to the number of HNers who try to access it

[throwaway52123]

It's all marketing. I would ignore it and move on with your life.

Allowing and encouraging responsible disclosure is never a bad idea. That said, if you're a young startup, I would focus on practicing and promoting good security hygiene within your company. Secure coding best practices, locking down infrastructure, that kind of thing. I wouldn't overcomplicate it or stress too much unless your product needs special security attention (i.e. you are a bank or likely to be hacked by a nation state or something). If you're the only technical person and you're already doing this, it does not sound like you have much (anything?) to worry about outside of the norm.

I hope that can help you sleep better at night :-D

[Rannath]

How much does a bug fix save you? How much is that worth? Are you popular enough that people are constantly trying to break your security? Bounties are cost saving measures.

[NameNickHN]

I wouldn't worry too much about it. In my opinion a bug bounty program is another marketing tool of big companies. They have to portray an image of a company that cares about security.

From my experience if you are a small company and fix a reported bug in a timely manner, nothing bad will happen. As long as your customers see that you're reacting quickly, everything is going to be fine.

[gt565k]

Jeez sending cold emails is mafia like?

Sounds like paranoia.

Ignore the emails and move on with your life.

[scared_of_hacks]

Well...

I want to ignore the email.

But what if we do get hacked in the next few months?

I can ignore it...but yeah, I am definitely paranoid about what might happen if I do! You know?

[zamalek]

I deleted another comment, but this is a far simpler analogy. As a nightclub owner it is prudent to hire a bouncer. Why? Not because the bouncers are making trouble outside your establishment (as a racket would do) but rather as a form of insurance against future miscreants.

Hiring a company like HackerOne (we've hired a competitor) is simply a very wise idea - that is all their email is pointing out. You are currently running a nightclub with no bouncer, you are currently vulnerable (all software is). Get some help by contracting or hiring.