A “threat actor” might sound like a character from some doomed Greek tragedy, but in today’s world they actually inhabit the digital stage, as individuals or groups that attack digital devices, networks or computer systems.
"Fighting threat actors at T-Mobile is an all-day, everyday team sport," says Mark Clancy, SVP of cybersecurity at T-Mobile. "Like all major companies, we face actors from around the globe with the intent to steal information, abuse our systems, or disrupt our operations. Services we provide to customers and partners on the internet are a frequent target of interest by these actors and ensuring these are free from security flaws with our bug bounty program is essential."
Which is why the company turned to Bugcrowd, the leading provider of crowdsourced cybersecurity that uses something called a “bug bounty” program, which employs ethical hackers to locate platform vulnerabilities and address them before bad guys find them. And even just two months into their partnership, Clancy says T-Mobile is benefiting.
"The key to a good bug bounty program is to find things you did not know about before and mitigate them quickly," he says. "We have been very happy with the rigor and velocity of execution as we ramped up the partnership."
So how exactly does a bug bounty program work? Here, on the heels of both companies attending the preeminent cybersecurity conference Black Hat in Las Vegas recently, we talk to Casey Ellis, founder and CTO of Bugcrowd, to find out more about bug bounty programs and how his company is working with T-Mobile to help keep its customers safe.
What is a bug bounty program and what kinds of companies have them?
A bug bounty program is a sponsored, organized effort that compensates ethical hackers for surfacing and reporting otherwise unknown network and software security vulnerabilities, enabling the digital connected business to manage and reduce their cybersecurity risks. The combination of the diversity of participants and the "pay on success" model is orders of magnitude more effective than traditional consulting approaches to risk discovery.
Bug bounty programs have continued to grow in scope and popularity, partly due to current security resource models and cost. They can help close the gap between security and development.
Because of the nature of crowdsourced security, there is a misconception that only tech companies use bug bounty programs. This simply isn't true. Most industries leverage bug bounty programs, even highly regulated industries such as financial services and government.
Can you walk us through the concept behind crowdsourced security, and how that drives your particular bug bounty program?
The idea behind crowdsourced security is really a simple one - I wanted to build a platform that connects the latent potential of those who hack in good faith around the world with as much of the global cybersecurity community as possible. Crowdsourced security provides the internet builders and defenders with an army of allies to take back control and outpace threat actors.
So many of the pain points that inspired crowdsourced security a decade ago still exist today — multiplying attack surfaces, under resourced and overburdened teams, and cutting-edge threat actors.
Crowdsourced security helps organizations stay ahead of attackers before they even think about striking, empowering organizations to proactively safeguard their brand and intellectual property while taking back control.
How does this all work with partnership between T-Mobile and Bugcrowd?
Here at Bugcrowd, we love working with customers like T-Mobile who are so committed to protecting their customers, employees, partners and brand. T-Mobile's bug bounty program launched in July as an opportunity for hackers to hunt on T-Mobile's applications and systems in order to find potential security vulnerabilities and report them. From there, T-Mobile evaluates the reported vulnerabilities and promptly takes appropriate action.
To encourage research and responsible disclosure of security vulnerabilities, T-Mobile is inviting ethical hackers to work on this program and have a chance to earn a range of payments, dependent on the criticality of the vulnerability submitted.
It has been really amazing to watch the success of this program over such a short time since launch - we're seeing incredibly fast remediation times. We're proud to partner with T-Mobile to help keep their systems secure.
How do you see cybersecurity evolving over the next few years?
Traditionally in security, we fall back on the fundamentals, which is the right place to start. The simple things are vital for a reason. Do them well and ensure that your organization is capable of "outrunning the other guy" before it attempts to "outrun the bear."
That being said, we’re really entering a new era of cybersecurity, and I believe security is going to become a lot less predictable. One reason for this is the impact of generative AI becoming mainstream. Aspects of hacking are being automated, creating a swath of new techniques, threats, vulnerabilities and opportunities for impact. A broader variety of threat actors now have access to more powerful tools to create a bigger impact, faster. If you want to learn more about this, I recommend checking out Bugcrowd’s newest report, “Inside the Mind of a Hacker,” which dives into the ways hackers are leveraging generative AI.
What makes you confident that Bugcrowd will be ready for this future, and able to continue to help companies like T-Mobile keep threat actors at bay?
At Bugcrowd, we talk a lot about the "burglars and locksmiths" of cybersecurity. Think of threat actors as burglars and the hackers helping organizations through crowdsourced security programs as locksmiths. Both parties use creative ways to try to open a locked door, but only locksmiths have good intentions.
Even though there are a lot of concerns out there about the ways threat actors are going to leverage generative AI, we can't forget that the locksmiths have access to the same cutting-edge AI technology. According to the "Inside the Mind of a Hacker" report, 94% of hackers plan to start using AI in the future to help them ethically hack. I'm really encouraged by the ways I'm seeing the hacker community leverage generative AI as a way to streamline their security research workflows.
It's exciting to partner with industry leaders like T-Mobile, because together we can really make a difference in cybersecurity. By continuing to empower hackers on crowdsourced security platforms, we start to level the playing field, ultimately helping organizations keep their systems and data secure.
T-Mobile and Bugcrowd launched a revamped public bug bounty program on Aug. 30, 2023. Security researchers can earn up to $10,000 per vulnerability found. To learn more or sign up, check out www.bugcrowd.com/t-mobile.