How is the Covid-19 pandemic affecting ethical hacking platforms?

Bug bounty platforms step up amid coronavirus emergency

ANALYSIS As the coronavirus pandemic continues to escalate worldwide, governments are increasingly urging citizens to work from home.

Employers and workers alike are facing months of disruption as global governments fight to contain the spread of the disease.

Many businesses have shut down, with more and more employees working from home and the self-employed, or ‘gig workers’, facing a reduction in work.

A rise in home workers brings with it an increased concern over network safety – so how is this pandemic affecting frontline security staff, such as bug bounty hunters?

‘Systems will be more vulnerable than ever’

Speaking to The Daily Swig, bug bounty platform HackerOne divulged that it hasn’t so far seen any major changes to the number of vulnerability reports it usually receives at this time of year.

The company is, however, preparing itself for an influx of new customers as security teams ramp up protection.

Aaron Zander, HackerOne’s head of IT, said: “We are all impacted in some way, and the future of work is changing.

“As the work-from-home model becomes the norm and work itself becomes more distributed, more applications, systems, and infrastructures will be more vulnerable than ever. HackerOne is committed to serving the changing needs of our customers.”

READ MORE Coronavirus: How to work from home securely during a period of isolation

In-house, HackerOne has put in place a number of new or modified practices to ensure the smooth running of the business.

A key feature is communication. HackerOne is already a 30% remote working environment, with a further 30% of employees working from home.

Moving to a 100% remote model means that keeping in contact – via daily video calls, virtual check-ins, and weekly AMA (ask me anything) sessions – is vital to ensuring transparency in the workplace.

“This open and transparent conversation keeps a culture of ‘why not share?’ top of mind for everyone and consistent in the culture of all employees,” Zander said.

Unexpected surge in bug bounty submissions

Bug bounty platform Bugcrowd officially closed its global offices earlier this month, with all employees now working remotely from across three continents.

The process has been relatively seamless for the company, where workers are set up with the tools they need to work from home as soon as they join the company.

“When we announced remote-only work, people literally stayed home and had everything they needed,” Ashish Gupta, Bugcrowd CEO, told The Daily Swig.

“We feel confident in our continued ability that we will not lose productivity.”

In addition to the changes in workplace environment, Bugcrowd has seen a sharp increase in vulnerability reports over the past four weeks. It has also seen a rise in interest from prospective clients.

Gupta said: “During this last four-week period, we experienced the highest vulnerability submission volume [in our history].

“We have seen an increase in the number of vulnerabilities and have also had conversations with researchers who say they are stepping up their efforts to help our customers that are working remotely.

“While this is increasing submissions and more eyes on target, it is also reassuring that our community of researchers is doing their part to help secure our customers.”

Bugcrowd CEO Ashish Gupta comments on the coronavirus outbreakBugcrowd CEO Ashish Gupta at Black Hat USA last year

Fast-tracking Covid-19 pen tests

Elsewhere, crowdsourced pen test platform Synack is also keeping a close eye on this unprecedented and fast-evolving situation.

“The coronavirus pandemic does present new and unique cybersecurity challenges for governments and businesses,” a Synack spokesperson told The Daily Swig this week.

“Fortunately, our platform was built to accommodate a highly dispersed and far-flung workforce.”

They added: “Due to work from home restrictions and social distancing, many of our researchers are actually able to spend even more time working on securing our customers’ assets.

“In fact, the Synack Red Team – our team of the world’s most skilled ethical hackers – have put in 70% more time on our customer’s target assets in the last two weeks (based on annual average activity).

“We’ve also fast-tracked requests for pen testing any assets related to Covid-19. So far, we haven’t had any service disruptions due to the current health crisis.”

‘Things are changing daily’

As for the ethical hackers themselves, many of whom are self-employed, fears that the current climate could result in an unexpected drop in workload are, fortunately, yet to transpire.

While it’s still early days, Bugcrowd researcher Eric Head told The Daily Swig that the outbreak has not affected his work so far.

He said: “It’s still early on, and it is difficult to say the exact impact since things are changing daily.

“Within my industry, the demand for ethical hacking is continuing to increase and is still projected to double in demand from last year.

“Cybersecurity is an ongoing battle and with more attention on health and public safety, having resources like ethical hackers to keep companies secure is important so that health professionals can focus on patients.”

Additional reporting by James Walker.

RELATED Coronavirus response: How security certification and training orgs are tackling the global disruption