Ever since we announced that we were donating $100,000 to the Dutch Institute for Vulnerability Disclosure (DIVD), things have been a bit hectic around here at Huntress.
At the risk of sounding pessimistic, we figured a few of our fellow vendor friends may reach out and say this sounded cool—and, if we were really lucky, chip in a few hundred bucks.
We had no idea that within a few weeks, we’d hear from nine vendors that they wanted to donate a combined $75,000 to DIVD.
And we’re just getting started. 😉
MSP Vendor Spotlight
As we heard from vendors who wanted to get involved, we grew curious to know what this initiative means to others. So, we asked them—and their responses give us a lot of hope regarding working together and fostering a community of vendor transparency and accountability in 2022. 🙌
Axcient
Becky Teal, Senior Partner Program Manager (Huntress): Why was it important for you to get your company involved in this initiative?
Ben Nowacky, SVP of Products (Axcient): Security in a silo can never be effective. Cybercriminals have us in their sights, and we believe in the power of collaboration and transparency as potent weapons against them. True accountability to our partners requires this approach. Simply waiting for the next attack—and hoping that any single vendor or MSP defenses are sufficient—just isn’t an option.
Transparency for Axcient is nothing new. We adopted a very transparent security-first approach to our products from the outset. In addition to sharing the results from annual SOC audits and regular external testing with partners, we’ve adopted a “shift-left” approach to security, making security more central in product development and testing for security earlier in the development lifecycle. It is a core KPI and integrated requirement that must be validated before pushing any code to our partners.
As vendors in the security space, we are always looking to do more and do it better. Of course, we do the necessary things like pen-testing and vulnerability assessments. Still, our goal is to evolve and progress even further to do our best to ensure our partners never have to deal with a preventable breach stemming from us as a trusted vendor.
We are stronger as a community, and we are equally committed to protecting our company, our platform, and our customers by being open about security. This initiative should lead to good things for our MSP partners.
Becky: What do you think MSP vendors should be doing to make cybersecurity safer for their partners in 2022?
Ben: Vendors need to grasp the trust our MSPs partners put in us when they invest in our solutions as part of their stack. This privileged position puts a lot of responsibility on vendors to ensure they are not the weak link in cyber resiliency. That’s why we’ve made the commitment to transparency in our development and testing—both our products and our own infrastructure. But this means doing more than the basics like regular pen-testing and security patching and being proactive and transparent when issues arise.
We preach to MSP partners that they must test, test, test, and the vendor community must also conduct regular risk assessments to constantly improve. We hold very aggressive resolution SLAs on security issues and make security a company-wide mission. And we all know engineering and development need to make security a core KPI, but other parts of the organization like sales, finance and marketing also need to be security-obsessed by staying alert for social engineering attacks, phishing and other potential footholds criminals may seek to gain in an organization. Only by taking a security-first approach across the company can we enable our partners to offer security to their clients.
Becky: Anything else you’d like to say about DIVD/this initiative/the community?
Ben: While every company participating with Huntress believes security is the most significant threat to MSPs and customers, the missing components are collaborative programs like this DIVD program to help identify issues early. Then, vendors can play more offense instead of reactive defense. By identifying threats, collaborating across vendors and partners, and communicating openly, honestly, and transparently among our community, we could prevent so many of these supply chain attacks from happening.
Unveil Security Group
Becky: Why was it important for you to get your company involved in this initiative?
Joe Clapp, President (Unveil Security Group): Vendor neutrality is core to the Unveil corporate ethics. We had been looking for a vulnerability disclosure organization that mirrored our own ethics. Additionally, Unveil consultants and researchers commonly find bugs in products that do not have reasonable disclosure mechanisms. We want to support an organization that is interested in supporting responsible disclosure for the societal good—wherever those vulnerabilities reside.
Becky: What do you think MSP vendors should be doing to make cybersecurity safer for their partners in 2022?
Joe: Know where you are blind. Spend the time identifying systems from which you are not collecting logs or the network segments you are not collecting network traffic on.
Critically analyze your information security training program. Is it a “check the box” program or does it truly improve your security posture? If it’s not benefiting you, spend your resources elsewhere.
Implement near-continuous monitoring of your services exposed to the Internet and on critical internal systems. If it changes, find out why.
Becky: Anything else you’d like to say about DIVD/this initiative/the community?
Joe: I would encourage the community to seek creative opportunities to help DIVD beyond financial help. Examples such as allowing an in-house web developer to develop for DIVD a few hours a month or an administrative assistant (especially one with non-English language skills) to template communications notices could be a significant help for DIVD.
OITVoip
Becky: Why was it important for you to get your company involved in this initiative?
Ray Orsini, CEO (OITVoip): Just like MSPs have a responsibility to their clients, I believe we vendors have a responsibility to the MSPs we serve. However, many of us were held back due to not having the internal resources necessary to properly implement a program that would not only support but encourage ethical security researchers to share information. This initiative lowers the bar significantly so that every vendor can participate, regardless of size.
Becky: What do you think MSP vendors should be doing to make cybersecurity safer for their partners in 2022?
Ray: It’s all about transparency and communication. It’s no secret that MSPs have been the target of malicious actors. Insurance carriers are keeping an equally close eye on MSPs in order to meet coverage requirements.
While the practices of the MSP definitely have a key role to play, MSPs don’t necessarily have control over the software they deploy. That’s why we need to be as transparent as possible whenever an incident occurs to prepare the MSP to take appropriate action. I would also like to see more vendors take a more active role in assisting MSPs prepare their playbooks for incident response.
Becky: Anything else you’d like to say about DIVD/this initiative/the community?
Ray: As a former MSP and current vendor, I thank Huntress and DIVD for their combined efforts in our community. I also congratulate those first vendors who have stepped up to realize the value of this initiative and have pledged a donation.
To that end, I will be working with Jason Slagle of CNWR to create a Vulnerability Disclosure Program (VDP) workshop where we will assist any vendor to create a program that has all of the appropriate elements required for responsible disclosure and response. And I would like to publicly thank Huntress for sponsoring our program for the betterment of the community.
* Editor’s note: We’ll update this blog as soon as we have more details about the VDP workshop!
Appgate
Becky: Why was it important for you to get your company involved in this initiative?
Marc Inderhees, Senior Director of MSP Channel Sales (Appgate): We are thrilled to have an opportunity to support DIVD. It’s critical that vendors invest in the community. MSPs are the first line of defense and need our backing and investment to properly protect their customers.
Becky: What do you think MSP vendors should be doing to make cybersecurity safer for their partners in 2022?
Marc: In addition to supporting DIVD I’m a big proponent of cybersecurity enablement for the MSPs and ensuring that they have the same tools available to deploy internally cost-effectively to protect their environments.
Becky: Anything else you’d like to say about DIVD/this initiative/the community?
Marc: Let’s hope this is the beginning of a growing and long-standing vendor effort to support the MSP community.
Taylor Business Group
Becky: Why was it important for you to get your company involved in this initiative?
Michael France, Managing Partner (Taylor Business Group): There are many bounty programs by manufacturers to incent ethical hackers. By supporting DIVD, we feel more money will get to the ethical hackers to identify the risks, making the software the MSP community uses safer.
Becky: What do you think MSP vendors should be doing to make cybersecurity safer for their partners in 2022?
Michael: Communication! Continue to talk to the MSP owners at events, through webinars and with direct access to communities like Taylor Business Group.
Becky: Anything else you’d like to say about DIVD/this initiative/the community?
Michael: As we have seen in our members, security has become an opportunity for growth and a risk to their business, as an example, insurance costs have gone up. The DIVD initiative will hopefully reduce some of the risks.
Blumira
Becky: Why was it important for you to get your company involved in this initiative?
Jeremy Young, Director of Partner Strategy (Blumira): The perfect cybersecurity program can be derailed in an instant by the right vulnerability. As vendors providing software to the SMBs and MSPs who are the engine of the global economy, we must do everything we can to mitigate these risks for our customers. Supporting organizations like DIVD who work to make the entire community safer is an easy decision to make and one that we encourage our fellow vendors and MSP partners to join in on.
You can read more about Blumira’s commitment to strengthening community partnerships and improving MSP/SMB security on their blog.
Servosity
Becky: Why was it important for you to get your company involved in this initiative?
Damien Stevens, CEO (Servosity): I’m excited to partner with DIVD and Huntress in the fight against cybercrime. MSPs know that a thoroughly tested and immutable backup is their last line of defense in the event of an attack. Working together as a community in an open and transparent manner gives us the chance to tilt things in the favor of the MSP, instead of having the odds stacked against them.
Response from MSPs
Truly, we wouldn’t have been able to pull off this initiative if it weren’t for our friends who work at MSPs. These experts helped inform our strategy to help make their worlds a little safer this year and maybe even save them a headache or two.
Our friend Kelvin Tegelaar, CTO and co-owner at Lime Networks, chatted with us about what these donations will mean to the MSP community as a whole:
"For our entire community, this is a game-changer, as it allows security experts to find issues in our software before it turns into a major incident, without fear of repercussions."
Our friend and hack_it regular Jason Slagle, President of Technology at CNWR, Inc., also had some words regarding what he hopes to see from the MSP vendor community this year:
“The MSP space needs a dosage of transparency from our vendors. For too long now we've been at the mercy of vendors that often choose not to disclose vulnerabilities that could have impacted us or our customers.
“My hope is that with the help of DIVD and their disclosure and transparency, we can start to change the culture to one of openness where we can all benefit from knowing our vendors take security seriously, and we can all learn the lessons they do along the way.”
How You Can Get Involved
If you’re interested in getting involved with this initiative, please reach out and get in touch:
- You can reach Huntress here
- You can learn more about the bug bounty program here
- You can contact DIVD directly about the bounty program at bugbounty@divd.fund
Want to hear more about the bug bounty program and from other vendors on why they’re getting involved? Watch our on-demand webinar Leaving the Silo: A Panel Discussion with DIVD and MSP Vendors!
