The bug hunting platform offers a proposal for greater corporate cybersecurity responsibility and transparency. Credit: Rawpixel / Jeff Hu / Getty Images HackerOne, a bug bounty platform provider, offered a blueprint for greater corporate security responsibility and called for a shift from secrecy to transparency when dealing with vulnerabilities in a report released Thursday.Organizations are increasingly scrutinizing the practices of their suppliers, basing procurement decisions on security credentials and switching suppliers should the company have experienced a security incident, the report noted. Demonstrating secure best practices is now a competitive differentiator.To demonstrate a company is adhering to best practices, the report recommended it commit to the four tenants of corporate security responsibility: transparency, collaboration, innovation, and differentiation. Distrust between organizations and third-party researchersAccording to survey data gathered for the report from 800 security leaders, 64% maintain a culture of security through obscurity. Not admitting weaknesses and asking for help fixing them can cause significant damage to a brand should a “secret” vulnerability be exploited, the report explained. To create greater transparency, the report recommended building a culture of openness, avoiding assigning blame when incidents happen, providing third-party researchers with a clear process for reporting vulnerabilities, and taking an open approach to stakeholders should a breach occur.The report also revealed a lot of distrust between organizations and third-party researchers. Sixty-seven percent said they’d rather accept software vulnerabilities than work with hackers, while 50% of hackers admitted they hadn’t disclosed a bug because of a previous negative experience or the lack of a channel to report it. A lack of trust makes everyone a potential cyber enemy, the report maintained. To avoid that and promote collaboration, HackerOne recommended encouraging third parties to report vulnerabilities, setting up regular security briefing sessions with company brass, and translating security risk into risk to the business.Suppliers’ cybersecurity best practices as important as cost A common criticism of security is it slows innovation by increasing the time it takes for development teams to produce software. That need not be the case, the report maintained. Early testing and continuous testing throughout the development lifecycle are ways to avoid security snags. “Security teams should facilitate development, not block it,” the report said.To reduce friction between security teams and developers, the report recommended involving development teams in the security process, rewarding developers for fixing security issues, and holding cybersecurity awareness sessions across the organization.Good cyber practices can be a major differentiator for a company, and an important consideration when suppliers are chosen, according to the report. Sixty-three percent of organizations told HackerOne’s researchers that cybersecurity best practices are as important as cost when they choose a supplier, and 62% said they’d take their business elsewhere if a supplier suffered a data breach. Fifty-three percent of organizations admitted they had lost customers as a result of a data breach.The report recommended that robust security checks be performed on suppliers, including proof of compliance with privacy laws, a third-party audit of a security framework, current pen-tests, multi-factor authentication, a vulnerability disclosure policy, and single sign-on. It also recommended following Google’s Minimum Viable Secure Product guidelines.“[T]here’s no surefire way to prove your security credentials or to know whether one of your suppliers might be the next victim of a data breach,” the report noted. “However, encouraging your organization and your supply chain to commit to the tenets of corporate security responsibility will drive brand trust and set your organization apart as one that demonstrates its active commitment to security.” Related content brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe