In software products and services, there is always a risk of bugs and vulnerabilities. Through our Bug Bounty program, we and our partner companies invite ethical hackers to help us find these vulnerabilities, so that they can be fixed faster. Read on to learn more about how we, and our partner Nmbrs, work with security together with ethical hackers.
Despite the constant effort and care companies worldwide take in regards to keeping their networks, products, and services secure, bugs exist.
In Bug Bounty programs, ethical hackers are invited to test and challenge applications. Within the Visma family of companies, when a hacker finds a vulnerability or bug, the hacker reports this back to our developers.
Also read: Better together through APIs.
Why is Bug Bounty important?
Every application is built with code: This code is the foundation of every software application. It takes thousands of lines of code to make a modern program, web service, car, or airplane.
If we look at the average iPhone app it has less than 50,000 lines of code, while Google’s entire code base on Feb 8. 2017, had two billion lines for all services. In the end, we have to face it: all software has bugs, and so as a software company it is our job to find them quickly.
“The vast complexity of the modern-day software makes it impossible to catch all the bugs, regardless of how advanced the automated tests and checks may be. Nothing compares to having actual, skilled people looking for security issues.
The bug bounty program allows us to leverage the immense power of thousands of brilliant minds all over the world. These people have the incentive to look for and to responsibly disclose security issues to Visma – continuously,” – Joona Hoikkala, Application Security Architect in Visma.
In Bug Bounty programs, ethical hackers are invited to test and challenge applications. Within Visma, when a hacker finds a vulnerability or bug, the hacker reports this back to us.
We fix these flaws and report back to the hacker, and they are rewarded with a spot on our Hall of Fame–a quality branding for the person. This is often referred to as a “true quality check” of developers and engineers and is very highly valued by recruiters and companies.
Read more: How to fix security issues in code faster.
Nmbrs’ disclosure policy and bug bounty
Earlier this year, the Dutch company Nmbrs became part of the Visma family. In the security onboarding process, they presented their responsible disclosure policy. For over three years Nmbrs has invited ethical hackers from around the world to test their security. They do this to ensure the security of the platform, network, and products, as a top priority.
When an ethical hacker finds a bug, they report it to Nmbrs. In return, Nmbrs fixes the problem. Nmbrs and the rest of the Visma family share this mindset with other big tech giants like; Apple, Google, Airbnb, Paypal, Twitter, and Uber who have implemented the same policy.
Data Protection Officer at Nmbrs, Floris Drost, explains that it is naive of a software company today to assume people won’t hack your products and services–which is why they have facilitated for the Bug Bounty program:
“Just like boys will be boys, hackers will be hackers. They are going to hack you anyway, so it would be stupid not to use their skills to improve your product. But you do need to facilitate them, that’s why we have the responsible disclosure.”