What do Echobox engineers and a horde of hackers share in common?

They’re all working to ensure the utmost security of the Echobox platform.

We recently made our bug bounty program public with YesWeHack, a global bug bounty and Vulnerability Disclosure Policy (VDP) platform. Such programs aim to help us pinpoint potential security vulnerabilities and proactively resolve them long before they could lead to a breach.

What exactly are bug bounty programs, and how do they work? What makes them effective? And why should publishers care about them?

We sat down with Echobox CTO Marc Fletcher to discuss.

Dr Marc Fletcher

Echobox: Why is security critical for publishers (and for vendors like Echobox who serve them)?

Marc Fletcher: For news publishers, the potential risk of a compromised social media account is very high from a societal perspective. Imagine the worst-case scenario, where a hacker manages to post to the world’s largest social media accounts simultaneously in a way that could even move stock markets. Nefarious actions on social media could be used in various scams, such as the 2020 hacking of high-profile Twitter accounts in a Bitcoin scam, or the cryptocurrency scams on social media that have resulted in losses of $1 billion. It also still surprises me how little other social sharing tools seem to care about this.

At an extreme, if a malicious actor were to hack top news accounts and spread misinformation, it could trigger political chaos or even a world war. Because we care so much about protecting real news, it’s critical for us at Echobox to ensure our platform security is up to scratch.

Echobox: How do we approach security at Echobox? 

Marc Fletcher: Compared to the rest of the market, we’re definitely ahead of the curve from a cybersecurity perspective. We take a rigorous approach to security at Echobox, and a public bug bounty program is just one small component of this approach. We also deliver comprehensive cybersecurity training for each employee and have introduced stringent internal anti-phishing practices, for example. These initiatives are all carried out with the same goal in mind.

The cost of security risks varies from company to company, but reputational damage resulting from a security breach can be severe. Companies have two choices: either do the testing proactively and find problems before they arise, or don’t do the testing and expose their clients to serious harm. At Echobox, we’d much rather know about potential issues and proactively fix them, rather than let any vulnerabilities be exploited and cause damage to our clients.

Echobox: What are bug bounty programs?

Marc Fletcher: A bug bounty program involves inviting skilled ethical hackers to probe and test a software platform in search of security flaws. They’re incentivized with a monetary reward that can range according to the severity of the vulnerabilities they identify. In the case of Echobox’s public program, ethical hackers can earn bounties of up to €6,000 per report. Any security flaws that are found can then be resolved, ensuring an impenetrable platform and helping to prevent future security breaches.

Echobox: What advantages do bug bounty programs offer over other types of cybersecurity measures?

Marc Fletcher: Bug bounties are “always-on” programs, as opposed to ad hoc tests. A huge advantage of this type of program is that anyone who’s part of the bounty ecosystem can come along and try to find weaknesses or vulnerabilities. That’s a significant advantage, as cybersecurity is exceptionally complex and broad. For example, saying you understand everything about cybersecurity is a bit like saying you’ve read every single piece of English literature – it’s an impossible feat for one person’s lifetime.

So a bug bounty program gives companies access to hundreds or even thousands of people with different specialties, and they test your system for particular weaknesses. This provides a large advantage over penetration tests, which can reveal vulnerabilities that are either very common, or that are limited to the specialties of your particular penetration tester (and much depends on the language or framework that they’re using to test).

Bug bounty programs are one of the most cost effective things a company can do to ensure robust security. There are compliance certifications that companies can pay for, such as ISO 27001 and SOC 2, or PCI for companies that handle payments, but many of these accreditations can often become more administrative than practical. They require providing paperwork and ticking boxes. A bug bounty program is much more practical in terms of preventing breaches in the first place, which is Echobox’s goal.

Echobox: Why did Echobox decide to invest in a public bug bounty program? Have we done anything like this before? 

Marc Fletcher: Launching a public bug bounty program felt a logical next step to follow on from our private bug bounty programs. The public program gives us greater exposure and access to YesWeHack’s community of 45,000 ethical hackers with their diverse areas of expertise. One fact that stood out to us is that no other social media publishing companies seem to be running public bug bounty programs like ours.

Prior to our bug bounty experience, we’ve run one-off penetration tests which involve paying a consultant for 3 to 4 days to poke around and see what issues or vulnerabilities they can find, but these kinds of tests have their limitations as I mentioned earlier.

Echobox: Do you think more companies will be investing in bug bounty programs in the future?

Marc Fletcher: Bug bounties have been around for about a decade, and they’ve grown in popularity as companies have learned of their benefits. On the face of it, they may seem expensive compared to a one-off penetration test. But given the potential long-term benefits, and the cost to a company of an actual breach, bug bounty programs are still cost-effective.

I think many companies struggle with the idea that with a bug bounty program, you’re paying people to tell you where you’ve got things wrong – and they don’t want to know or risk bruising their ego. They’d rather hide in ignorance and assume everything is great with their products and systems. But living in ignorance only works until you’re hit by a devastating breach. In our case, it’s critical to invest in robust security up front and have peace of mind that we’re offering our publisher clients an ultra-secure platform.

Echobox: Any final advice for publishers about cybersecurity?

Marc Fletcher: Similar to GDPR compliance, platform security should be a very important factor for publishers. Though a major risk may seem far-fetched, a security breach of any size could present a real threat to publishers who hold such an important role in how information is disseminated throughout our society. If the security of your brand, reputation and content is important to you, Echobox should be your platform of choice.