This guest blog is authored by the HiRoad Security team.
The auto insurance industry requires a great deal of information about customers in order to accurately measure risk and, for HiRoad, rewards for good driving. The insurance industry is also heavily regulated, so we have to ensure the security measures we implement meet our legal and regulatory obligations.
When our customers buy insurance, they are buying a promise. HiRoad understands the trust customers place in their insurance company. Our goal is to respect and honor that trust by ensuring their data is safe.
To that end, the HiRoad security team is committed to cybersecurity, taking a defense-in-depth approach to our program. We apply a variety of internal security testing and QA measures to ensure there are no vulnerabilities in our software before it hits the public. We are constantly updating our programs in accordance with best practice. But knowing our risk factors, our growing attack surface, and the increasing number of cyber adversaries out there, we needed to take it one step further with crowdsourced security.
We researched a number of different bug bounty program providers and chose Bugcrowd as the platform able to provide everything we need in our program. Bugcrowd gives our security team access to some of the world’s top vulnerability researchers, getting external, professional eyes on our code to find areas that can be improved. Additionally, Bugcrowd’s managed platform means we only see valid, actionable submissions, helping to focus our attention where it is needed.
We’ve seen valuable submission reports come out of crowdsourced security testing. A fresh set of eyes, or an entire Crowd of them, is incredibly valuable at spotting well-hidden issues. We have received useful submissions which we are actively working to address. Also, using Bugcrowd’s managed program specifically allows us to have a vulnerability submission program without significant maintenance overhead – the Bugcrowd team handles all the initial work of assessing, triaging, and prioritizing submissions. Our team is then able to get directly to the important issues.
Using Bugcrowd has inspired us to be more proactive about certain areas of vulnerability testing. It’s given us an idea of where to best focus and prioritize our efforts based on the submissions we received. At HiRoad, we believe in delivering on customer trust by providing a safe and secure platform. We are incredibly grateful to all researchers who take the time to help with that goal by submitting issues.
We’re excited to have Bugcrowd manage our Vulnerability Disclosure Program. You can find the VDP page here.