Introducing HackerOne Response, the latest app from Coalition

by John B. Roberts.

Today we announced the HackerOne Response app in partnership with HackerOne, another tool in the growing cyber risk management platform offered to all Coalition policyholders. This new app allows any organization to receive and respond to security vulnerabilities discovered by trusted hackers before criminals can exploit them, and is provided to all Coalition policyholders at no cost.

In addition to helping secure your organization, you’ll also pay less for your Cyber and Technology E&O insurance from Coalition. All Coalition policyholders, current and prospective, will automatically receive a premium discount during the underwriting of all Coalition policies after activating a security vulnerability disclosure program. To qualify, use the Coalition app and/or ensure that your program is publicly listed in the HackerOne directory.

Hacker Activity screenshot

What is a vulnerability disclosure program?

The reality is, vulnerabilities are found every day by security researchers, friendly hackers, customers, academics, journalists, and tech hobbyists (or as we refer to them, “trusted hackers”). Because no system is entirely free of security issues, it's important to provide an obvious way for external parties to report vulnerabilities when they come across them.

A vulnerability disclosure program is intended to give these trusted hackers a mechanism and clear guidelines for submitting potentially unknown and harmful security vulnerabilities to organizations. A vulnerability disclosure program also allows you to have a clear communication mechanism in place for the people who are interested in reporting vulnerabilities in your products and services.

This is incredibly important, especially at a time when businesses are rapidly adopting technology across all of their operations (and the risk exposures that come along with it). Ignorance is neither an excuse, nor an effective risk mitigation strategy. The HackerOne Response app, provided by Coalition, is the basis for a complete vulnerability disclosure program, and easily guides organizations through the process of engaging a global community of trusted hackers to secure their products and services.

We believe so strongly in this approach that we’ve launched our own public vulnerability disclosure program with HackerOne. We take the security of our customers incredibly seriously, and have enlisted the help of hundreds of trusted hackers in this pursuit.

How can a vulnerability disclosure help my organization?

Beyond the obvious assistance in making your products and services more secure, vulnerability disclosure programs can also help you meet compliance and regulatory requirements.

Coalition’s HackerOne Response app provides auditable compliance with ISO-29147 (vulnerability disclosure) and ISO-30111 (vulnerability handling), and complements your application security efforts across multiple business units, including security operations, incident response, and red-teams. Numerous organizations have seen it reduce risk, simplify operations, save time and money, and overall improve security posture.

If you’re a CEO or risk officer, a clear policy mitigates the risk of unauthorized disclosure, illegal hacking, and adverse administrative or regulatory action.

"[Fandango] engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security ... including: Failing to maintain an adequate process for receiving and addressing security vulnerability reports from third parties." - Complaint, Federal Trade Commission

For the IT team or CISO, you gain full visibility and control over what otherwise would be a chaotic process.

“To improve the security of their connected systems, every corporation should have a vulnerability disclosure policy that allows them to receive security submissions from the outside world." - Jeffrey Massimilla, Chief Product Cybersecurity Officer, General Motors

General Counsels and legal teams can rely on a policy-driven approach that limits the risk of extralegal public vulnerability leaks.

“Companies that lack a clear vulnerability disclosure program are at increased risk should a security researcher find a vulnerability, which then they may disclose in a chaotic manner.” - Megan L. Brown, Partner, Wiley Rein, LLP

And for other executives, a policy can provide additional ammunition to answer board, investor, and media inquiries around your cyber security risk posture.

“One of the best ways for us to augment our internal security team is to work with the white hat community.” - Tobias Lütke, CEO, Shopify

We’ve made it really easy to enable the HackerOne Response app

Ready to start a program? If you’re already a Coalition policyholder, and you’re ready to improve your security by listening to input from the global hacker community, you can do so for no cost directly within the Coalition dashboard. Go to the Apps page, and select the HackerOne Response app. One click and you’ll be whisked away to begin the simple setup process with HackerOne.

Already have a program? Excellent! You’ve shown your dedication to protecting your customers, and recognized that security isn’t a one-time effort. Coalition automatically rewards policyholders with a program publicly listed in the HackerOne directory. Premium adjustments are applied at the time of underwriting when insurance policies are priced. If you already have a program, there is no need to set up another one using the Coalition app.

Combining resources for a common defense works

HackerOne shares our passion to solve cyber risk, and this shared mission made it easy to enlist them in our ahem coalition. Vulnerability disclosure policies and supporting programs (including bug bounty programs) make it practicable for organizations of all sizes to listen to input and react to reports from a global community of experts. Our team at Coalition is happy to partner with the leader in hacker-powered security for the common defense of our customers, and to raise the level of security on the internet.

That’s not all, we have many more apps and services in the works to protect our policyholders, including several from like-minded companies who share our mission. Want to participate? Get in touch.