ConnectWise has launched a bug bounty program to further harden the company's business automation and IT management software for MSPs. The program, launched in partnership with HackerOne, has been under development since at least March 2020, according to previous ChannelE2E reporting.
The ConnectWise Bug Bounty program is designed to:
- Supplement ConnectWise's internal vulnerability management strategy;
- support invited hackers via the HackerOne platform;
- deliver monetary rewards for security vulnerabilities submitted; and
- address and remediate all confirmed vulnerabilities discovered through the program.
Moreover, ConnectWise will continue to deliver disclosures through the ConnectWise Trust Site, which is the primary source of information on a number of security, compliance and privacy topics. It also houses ConnectWise’s security bulletins and alerts, critical patches, and updates, with the ability to subscribe to proactive notifications via an RSS Feed, the company notes.
ConnectWise Security: The Bigger Picture
In a prepared statement about the Bug Bounty Program, Tom Greco, director of information security, ConnectWise, said:
“Cyber criminals move fast, so we have to move faster. Employing a bug bounty program with the help of HackerOne, the industry leader in this space, will allow us to do just that by finding issues before bad actors get a chance to exploit them. Crowdsourcing in this way represents a solid additional layer of security, and we clearly value the community’s expertise and participation in helping us keep our products secure. As we said earlier this year, the launch of this Bug Bounty program is yet another important addition to our security arsenal – and it’s the latest piece of our overall strategy to strengthen our own security standing so that we can better protect our partners and their SMB customers.”
The Bug Bounty Program is part of a larger strategy at ConnectWise to be more transparent, and more proactive on the vulnerability management front. ConnectWise disclosed its overall strategy for improved software development and security disclosure processes in March 2020. The overall effort includes such steps as a “shift-left” product development, an expansion of cybersecurity training programs for TSP partners, and the creation of the MSP+ Cybersecurity Framework, the company notes.
MSP Software Companies, Service Providers: Prime Hacker, Ransomware Targets
The Bug Bounty program surfaces amid continued challenges for the overall MSP ecosystem. Software companies and service providers remain prime targets for hackers and ransomware attacks. The attacks often leverage RMM (remote monitoring and management) or remote access software as a potential springboard into customer networks.
Recent MSP and IT consulting ransomware attack victims include:
- Cognizant, which suffered $50 million to $70 million in lost revenue related to the attack.
- Collabera, an IT staffing firm;
- Equinix, the global data center and MSP firm;
- Orange Business Services, a major telecom service provider and Top 200 MSSP; and
- Telecom SA, the largest telecom company in Argentina.
- xChanging, a DXC Technology subsidiary.
Still, there are signs of progress across the MSP industry. For instance, most MSP software platform providers have introduced multi-factor authentication (MFA)/two factor authentication (2FA) as a default setting for system access. MFA and 2FA aren't foolproof, but they greatly reduce the risks facing MSPs and their end-customers. Also, MSPs and their end-customers have rapidly embraced Cybersecurity Awareness Training -- which often includes simulated phishing attacks and associated educational services.