Ask HN: Do I need a bug bounty program? Feeling a bit threatened by HackerOne
I understand how the sales process works, but I'm kind of starting to feel after the second cold email that this is a bit mafia-like. I'm basically being told that my kneecaps are going to be bashed in by hackers if I don't respond to this sales call, at least that's how I'm reading this communique.
I was thinking a good way to respond would be to at least put something about responsible disclosure on our "Contact Us" page, and that we'd pay a bounty if someone finds something out of the ordinary. A security professional told me allowing responsible disclosure is the first step. We're a very small company though, I'm the sole developer. I know security is important, and I try to follow best practices - but has anyone else gotten these emails and felt a bit threatened?
I don't meant to insinuate that Hacker One is going to be doing hacking themselves, I'm not a conspiracy theorist. I'm just wondering how people are reacting to getting emails like this?
Thanks for any perspective.
13 comments
[ 1.4 ms ] story [ 41.0 ms ] threadSounds like paranoia.
Ignore the emails and move on with your life.
I want to ignore the email.
But what if we do get hacked in the next few months?
I can ignore it...but yeah, I am definitely paranoid about what might happen if I do! You know?
Hiring a company like HackerOne (we've hired a competitor) is simply a very wise idea - that is all their email is pointing out. You are currently running a nightclub with no bouncer, you are currently vulnerable (all software is). Get some help by contracting or hiring.
Allowing and encouraging responsible disclosure is never a bad idea. That said, if you're a young startup, I would focus on practicing and promoting good security hygiene within your company. Secure coding best practices, locking down infrastructure, that kind of thing. I wouldn't overcomplicate it or stress too much unless your product needs special security attention (i.e. you are a bank or likely to be hacked by a nation state or something). If you're the only technical person and you're already doing this, it does not sound like you have much (anything?) to worry about outside of the norm.
I hope that can help you sleep better at night :-D
It's set up just the perfect way to make us answer "oh but that's just normal salesmanship and reasonable".
Well played if true.
HackerOne will NEVER threaten you or do anything to reduce your security. You can safely ignore our sales emails if that's what you want to do. We are just trying to be helpful.
But we do have the absolutely best set of programs for companies of all stripes. To start with, you can open a vulnerability disclosure program that costs you nothing. It will allow hackers to submit vulnerability reports to you. We run numerous programs of this type for startups and other companies.
Our mission is to empower the world to build a safer internet. That's it.
Marten HackerOne CEO
I'm sorry if my post came out as at all harsh. I respect what you guys are doing. I just had those honest reactions to the communication I got.
Maybe putting some general pointers on getting started in emails like this for really small companies would come across as a bit less threatening? That way, you can be the guide early on, then we can become partners later when we have the scale.
Good luck with your build!
From my experience if you are a small company and fix a reported bug in a timely manner, nothing bad will happen. As long as your customers see that you're reacting quickly, everything is going to be fine.