Article
Visma’s “mother of hackers” on bug bounty programs
22/3/2023
min read
Security
A bug bounty program offers an additional layer of security for applications. That’s why we invite ethical hackers to test our software – because they unveil and fix potential vulnerabilities; thus, preventing exploitation by cybercriminals.
Meet Ioana Piroska, our mother of hackers
Ioana Piroska is a Security Engineer and Bug Bounty Program Manager at Visma Software. She joined Visma in 2018 as a Security Analyst, beforing diving into the bug bounty world in 2019 when we first launched a bug bounty program internally.
She helps our service delivery teams during their onboarding processes and throughout their bug bounty journeys. She’s a part of the triaging team, and ensures that the hackers’ engagement is maintained. Ioana’s passion for cyber security and care for ethical hacking earned her the nickname “mother of hackers” amongst her colleagues.
“As Visma is such a large and diverse company, bug bounty is an extremely important tool for scaling our security program while we continue to grow. Having a bug bounty program in place helps to improve our security posture, and we see the value it brings continuously.”
Ioana Piroska
We discussed the benefits of bug bounty programs with Ioana, and here are her takes:
How does a bug bounty program work?
“Basically, we invite ethical hackers to test our applications in exchange for monetary rewards. We do, of course, give them legal permission to perform these tests, and the program is published on a specialised platform for such programs. We’ve partnered with Intigriti, which is the number one bug bounty platform in Europe. The tests are conducted in a controlled environment, and the hackers respect our policies and platforms code of conduct, terms and conditions, and privacy statements.
Essentially, this is an additional layer of security that we offer for our products. The benefits of such programs include the diverse expertise of each hacker, their niche skills, and a continuous testing of our products.”
Why should bug bounty programs be a priority?
“Being such a large software company, top-notch security efforts are crucial to us. That’s why we developed the Visma Security Program (VSP), which offers different services internally to help our companies identify security holes and fix them before getting exploited in the digital landscape.
We’ve established a Bug Bounty Triage Team because, to us, that’s a more suitable approach than platform triage. We consider it more efficient as this is such a big and diverse company. A bug bounty program is a service that works globally.
In the VSP, bug bounty is the final layer of verification for our applications. The external hackers’ expertise applied to cyber threats is extremely valuable, as they can catch bugs that cannot be found with automated scanning tools.”
How can companies get started with a bug bounty program?
“First, set the goals you want to achieve and identify what you want to secure. Depending on the scope, you need to allocate a budget and distribute necessary resources. Then, get in touch with bug bounty platforms and collect price offerings. They’ll be able to answer your questions and personalise the offer based on your specific needs, as well as appoint a Customer Success Manager to help you set up the policies and programs.
Internally, you should prepare your teams for the program launch. Explain the process, showcase the benefits, remind them that not all hackers are malicious, and let them know what to expect and what their responsibilities are. Keep in mind that bug bounty isn’t about finding anyone to blame. It’s about identifying security holes and fixing them to prevent exploitation by malicious hackers. After fixing these bugs, you can have more confidence in your product offering.”
What are the benefits of a bug bounty program?
“Bug bounty programs yield immediate results. Regardless of how many internal tests you do, having professional hackers continuously test your products will generate more security reports. Some of them might uncover critical conditions that could have huge consequences for your company and, ultimately, for your customers. Discovering these bugs at an early stage creates a safer digital environment for both your employees and users.”
Here are Ioana’s recommendations for companies wanting to get started with a bug bounty program:
- Start small and expand the program over time – it’ll help you stay within budget.
- Private programs in which you invite as many hackers as you want (make sure they’re specialised in the technologies you use) yield the best results.
- Before launching, perform internal tests and fix the bugs you can find on your own – it’ll cost you less.
- Prepare internal teams for the process and what their role in the program will be.
- Allocate a budget depending on how big the scope is and how secure your products are before having started the program.
- Be prepared for the workload – unexpected threats may appear, so have the resources available to validate and fix the reported bugs as fast as possible.
- Share the findings with both colleagues and the world – knowledge creates a safer digital space for everyone.
Live hacking events
Another thing Ioana highly recommends is live hacking events – either virtually or in-person. At Visma, we recently invited 30 of our best-performing hackers to test specific scope, collaborate, and win special awards and bonuses. It was a great opportunity to engage the hackers while also securing our assets in a short amount of time.
“A live hacking event is all about hard work, meeting brilliant people, securing assets and having fun together. For the first time in years, we recently had the chance to meet the hackers that we work with, shake hands, and get to know each other better. Meeting them in person and watching them work together strengthens the partnership, their engagement, and our trust.”
Ioana Piroska
Live hacking events offer the chance to perform highly intensive tests with the expertise of the best hackers in the industry. By creating a competitive and fun environment, you accelerate vulnerability discovery. You’ll be guaranteed stronger and more secure products while also strengthening your partnership with the hackers helping you.
Voice of Visma
We're sitting down with leaders and colleagues from around Visma to share their stories, industry knowledge, and valuable career lessons. With the Voice of Visma podcast, we’re bringing our people and culture closer to you. Welcome!