February 8, 2018 | 5 Min. Read

Hacker-Powered Security without Compromise

When “hacker-powered security” is heard in Senate chambers, something incredible is happening. Ethical hackers are now rightfully seen as the only hope against the threat of unethical hacking that has exposed millions of consumer records, caused irreparable monetary and brand damage to companies around the world, and captured countless news headlines. Bug bounty is the rally cry of this movement, for good and for ill.

There are many benefits to bug bounty programs: they provide unique and diverse hacker insights on client assets; they run on incentive-based testing; they are scalable, adaptive, and continuous. However, in the enthusiastic haste to create platforms and programs for hackers and companies to play nice together, compromises have been made. Our take? The best version of crowdsourced security should not require compromise by the CISO or the hacker.

Trust

Trust comes from knowing that the hackers working on your project have been thoroughly vetted and that their activity is routed through a Synack gateway. The Synack Red Team (SRT) hackers aren’t just internet profiles with pseudonyms and scores; they’re real people that Synack has partnered with on a five-point vetting program to know their backgrounds and test their strong ethics and impressive hacking skills. We’ve looked every one of them in the eye during the interview process as they become an active part of the Synack community. As the largest fully-vetted hacker team in the world, the Synack Red Team embodies trust.

When a customer chooses to run hacker-powered security with us and when a hacker decides to test on our platform, they are engaging with Synack. We are not just a marketplace; we are a full partner. Synack stands between our customers and our hackers for their respective protection. We take on the liability of testing. Period.

By routing all hacker activity through our gateway, the customer can own all vulnerability IP and Synack can stand behind the work. We support the hacker with indisputable evidence in the case accusations of misconduct are ever made against him or her, and we support the customer by giving them real-time insights and control to start and stop hacker activity with the push of a button.

Consistency

According to Gartner, security is the #2 concern for any corporate security team. Operational chaos of managing >100 vendors, hiring and retaining very scarce security resources, and staying on top of the constantly changing digital landscape is #1. It’s no small task scoping assets for testing, recruiting and vetting hackers, reviewing vulnerability submissions, paying hackers for their findings in a timely fashion and then remediating confirmed security flaws. A CISO needs a partner that can take on these tasks without burdening the security team. The team must have confidence that controls are in place to ensure the quality and success of a hacker-powered vulnerability discovery program.

  • Synack can guarantee the consistent quality of hackers who join our platform by upholding the most stringent vetting process in the industry.
  • Our Synack Mission Ops team guarantees that client assets are thoroughly tested, not only by the vulns found, but also through an ongoing coverage analytics feed in the portal. Pace is critical. At times a CISO needs the full team deployed. But it’s also important to be able to slow the hacking efforts, pull specific vulns out of scope, or focus only on certain aspects of an asset.
  • Synack customers don’t have to deal with varying vulnerability bounties, but instead, they have a simple, consistent subscription fee that is easy to work through their finance team.
  • Clients always receive carefully reviewed, high-impact vulnerability submissions and unrestricted access to Synack’s team. And Synack will accommodate immediate access to the Synack operations team, or the hacker working on a project.
  • Hackers on the Synack platform can consistently expect access to leading projects from F500 type customers and critical government assets. The hacker will receive ongoing and consistent support through the SRT Community Management team and very fair and prompt payment (within 24 hours) for their submissions.

Incentives

Hacker-power should always be aligned to the needs of clients’ security teams, because ultimately, their expertise serves the cause of better security. Hacker-power should also stand to respect the skill of the hackers. While hackers are motivated to find as many high-impact vulnerabilities as possible to maximize rewards, clients are motivated to find as many high-impact vulnerabilities with minimal resource strain. To best work together, these incentives must be aligned and both parties need to be represented.

Synack relieves both the hacker and the client from needing to enter negotiations for bounty payments; we represent them both and have their best interests in mind. Synack removes the price setting risk from our clients, and we remove the vulnerability submission risk from our hackers. The buck stops with us, resulting in zero compromise when it comes to keeping everyone’s best interests in mind.

We believe in “hacker-powered” security, and our experience proves that it always has to be done in the right way. We believe in enabling organizations around the world to utilize trusted, ethical hackers to find and fix vulnerabilities in their digital assets before criminal hackers exploit them. And in so doing, we can’t allow any form of compromise.

We are passionate about making the world more secure and that’s why we are always putting our heads together to imagine what it will take. When Synack launched in 2013, we set out to redefine traditional security testing through revolutionary technology and innovative thinking. Synack’s private, managed hacker-powered security solution arms clients with access to the world’s most skilled, highly vetted ethical hackers who provide a truly adversarial perspective to clients’ IT environments. Whether it’s Responsible Disclosure, Vulnerability Discovery, Crowdsourced Penetration Testing or Continuous Testing, Synack offers the same high standards and quality. For years, we’ve been calling it Hacker-Powered Security. It’s enabling organizations everywhere to go on the offensive and utilize the most qualified and trusted group of people from around the world to become stronger against criminal cyber attacks.

Here’s to the future:

Security Testing — Powered by Hackers — Without Compromise.