Study reveals 78 percent of IT professionals are more likely to trust a product or company that has been tested by external hackers for flaws
HackerOne, the leading hacker-powered security platform, today announced the results of a survey conducted at Infosecurity Europe, which revealed that the vast majority of those surveyed (70 percent) believe the Cambridge Dictionary should update its definition of a hacker so the word ‘illegally’ is removed.
The Cambridge Dictionary currently describes a hacker as “a person who is skilled in the use of computer systems, often one who illegally obtains access to private computer systems”. However, when respondents to HackerOne’s survey were asked if it should be updated, 70 percent were in favour, only 23 percent opposed while seven percent were not sure. The survey also revealed that 78 percent of respondents are more likely to trust a product or company that has been tested by the hacker community or security researchers for flaws.
“One of the biggest misconceptions about digital crime is the view that hackers and cybercriminals are the same,” said Laurie Mercer, security engineer at HackerOne. “Hackers are skilled individuals who are curious and enjoy challenges, while cybercriminals use the internet as a platform to commit crime. Hackers also play an important role in keeping the internet safe by leveraging their creativity and intelligence to find complex security flaws often missed by traditional methods. It is encouraging to see the perception of the broader security community shifting towards positivity.”
The survey also looked at the processes organisations have in place when vulnerabilities are reported by the hacker community and asked if they would be acted upon. Reassuringly, 51 percent said their organisation already has a defined process for hackers to report vulnerabilities, while 63 percent of respondents said their organisation would respond to a vulnerability report that came in from an external researcher or hacker. Select organisations are still neglecting to protect their customers from unknown vulnerabilities with help from the hacker community as 21 percent of respondents said their organisation would not respond while 16 percent were not sure. Survey respondents also revealed that 43 percent of organisations struggle to apply security updates to resolve all the vulnerabilities that are being found today.
“There is no such thing as a 100 percent secure system,” said Mercer. “Having a vulnerability disclosure policy in place is a critical part of an organisation’s security architecture. Not only does it provide external security researchers and hackers with a route to report security vulnerabilities in a clear and formalised way, it also outlines an internal process to ensure these reports are addressed and never ignored.”
“Finding and eradicating vulnerabilities is an important aspect of cybersecurity. All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities. The U.S. Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises,” said Rod J. Rosenstein, Deputy Attorney General at the Global Cyber Security Summit in London in October.