Bugcrowd Blog

What We Can Learn from NETGEAR's Approach to Security

Posted by Ashish Gupta on Oct 6, 2017 9:00:00 AM

Earlier this week, Threatpost reported NETGEAR had fixed 50 vulnerabilities in its routers, switches, and NAS devices -- many of which were reported via the company’s bug bounty program,

Of the news NETGEAR said:

“We are taking the security of our products very seriously and have been working closely with Bugcrowd to help monitor instances of potential security vulnerabilities,” said a NETGEAR spokesperson. “We work with Bugcrowd to identify potential vulnerabilities and release fixes in bulk, which is why you saw the quantity you did come across last week.”

This isn’t the first time NETGEAR has disclosed vulnerabilities discovered through its bug bounty program. Earlier this year the company identified a password bypass bug found in hundreds of thousands of NETGEAR routers. Personally, as a customer of NETGEAR I feel a whole lot safer, thanks to the proactive approach taken by NETGEAR and Bugcrowd’s researchers via a bug bounty program that delivers actionable security insights to NETGEAR’s team who are able to address these issues in a timely manner.

It’s a trend we’re seeing more of.

It’s not simply about the growing threat of breaches, or even the outside pressure from external researchers - although these are very real drivers - it is about being a responsible citizen in our digital economy. Responsible disclosure is really about building comprehensive security programs, effectively identifying vulnerabilities and ensuring they are successfully remediated.

When NETGEAR launched their bug bounty program earlier this year, CIO Tejas Shah said:

“As the innovative leader in connecting the world to the internet, NETGEAR must earn and maintain the trust of their users by protecting the privacy and security of their data. Being proactive when it comes to security is fundamental to NETGEAR’s approach.”

Ensuring the security of its customers is not likely a new goal for NETGEAR - as Tejas said, it’s fundamental. This is something we often hear from our customers at Bugcrowd -- being proactive when it comes to securing customer data is core to what they do. However, given the increase in breaches we’ve seen over the past year, it takes more than just one guardrail to protect your sensitive data. It requires a robust and layered approach. Responsible disclosure is part and parcel to this. Until recently, a coordinated disclosure or bug bounty program wasn't feasible for most companies. Today, that’s changed.

It goes without saying that we believe in the power of this model. This has validated by the growth (77%) we’ve seen this year, across industries, at companies of all sizes (enterprise adoption has tripled) in the last year. We work with more of the Fortune 50 than any other bug bounty platform -- this is because we bring a multi-faceted approach starting with a robust platform, sprinkle on the magic of human innovation with a large, diverse, and skilled crowd of researchers, and top it off with a team dedicated to working with customers to deliver results.  We bring art and science together to deliver compelling results for our customers.

On average our programs see 5 critical vulnerabilities within the first 2 weeks. We don’t just throw these vulnerabilities over the fence. We work with our researchers and customers to ensure we’re delivering real, actionable results. And we’re always working to make this process better. Our team of application security engineers - the team that reviews each and every submission - is always working to provide time and accurate insights from the submissions. Every day set a new record - we are already 70% faster than a year ago and we were the best in the industry then.

There is no panacea in security. This is why we’re constantly recruiting new researchers, adding new skills and new perspectives to the crowd. It’s why you can’t surpass the power of human creativity. It’s also why our layered approach to security delivers amazing results for our customers. Jim Hebert, Sr. Security Engineer, Fitbit may have said it best:

“We think of the bug bounty program as ‘part of this complete breakfast’. You have all these internal activities, and the Bugcrowd program for us… is a nice supplement to those things–it catches bugs that our internal testing didn’t catch. It also gives us information in what it doesn’t report.”

And so we come back to NETGEAR. The company’s news this week clearly demonstrates not only its commitment to making its products safer, it shows that the company has taken action, delivering on its promise of security. And the community has taken notice. Trustwave researcher Martin Rakhmanov said:

“We’ve been working with NETGEAR through their responsible disclosure process for quite some time and watched them mature tremendously including their current participation in bug bounty programs.”

We will undoubtedly see more of this sentiment as more companies make responsible disclosure and bug bounty programs part of a “complete breakfast.”

Program Updates
Ashish Gupta

Written by Ashish Gupta

Ashish Gupta is CEO and president of Bugcrowd.