June 11-12, 2018 | San Francisco, CA

What Infosec Pros Need to Know Before Conducting a Bug Bounty Program

By Bill Siwicki


Hospital information security teams considering a bug bounty program should know a few things before entering the endeavor. 

The phrase bug bounty, for the uninitiated, refers to programs where hackers are paid to detect and report back on network vulnerabilities. 

Bug bounty and vulnerability disclosure programs have been proven to deliver excellent results in finding and fixing vulnerabilities, said David Baker, chief security officer at Bugcrowd, which connects healthcare organizations with security researchers who can help alert them to IT system weaknesses.

"White hat hackers, or security researchers, are always looking for vulnerabilities, whether invited or not," said Baker. “By providing them with a way to report these security flaws and offering a reward for doing so, hospitals can benefit from continuous testing while paying only for results.” 

That said, it’s smart to approach infosec work of this sort carefully and structure the program in a way that does not endanger your organization or patient data. 

Granting permission for security researchers to test software and systems, for instance, is a way to receive more vulnerability findings, giving an organization more knowledge and control, and ultimately reducing risk.

Bug bounties can augment in-house security staff, as well as validate in-house security efforts, Baker said, adding that such a  layered approach to security is important.

Baker will be speaking on the subject of bug bounties at the HIMSS Healthcare Security Forum, June 11-12, in San Francisco. 

Read the full piece on Healthcare IT News.

Learn more about the 2020 Event


Subscribe for updates