How CM.com matches rapid business growth with improved cybersecurity through bug bounty programs

For CM.com’s global portfolio of business clients, the privacy and security of their customer data are primary concerns. While the Dutch software developer is enhancing user engagement and experience through its innovative platform, its internal security teams also do everything they can to keep their client’s data safe. As part of its security strategy, CM.com regularly sends reports to its clients. Sándor Incze, CISO at CM.com, explains how delivering security information based solely on penetration tests (pentests), however, can give an incomplete picture of the levels of cybersecurity his team is providing.

Relying on pentests to ensure the quality of CM.com’s security posture presented a two-pronged problem:

• Internally, the pentests didn’t provide frequent enough testing to match the rapid evolution of the platform.

• They were potentially giving customers a less than accurate picture of the quality of security CM.com was providing.

CM.com sought a solution to enhance their security and discovered that bug bounty programs could meet their needs. They turned to Intigriti, the leading European-based bug bounty platform.

• Approach: creating a strategy to ensure CM.com's safety, starting with a small, private Intigriti community, gradually gaining confidence and expanding. The ability to integrate both private and public bug bounty programs incrementally was a major advantage, along with the transparency offered by Intigriti.

• Transparency: the platform provided unique and traceable IDs for each hacker, giving up-to-date insights on testing activities as the bug bounty program progressed.

• Improvement: the bug bounty program also addressed several shortcomings of relying solely on pentests. Intigriti's platform featured security testing experts with diverse specializations, allowing CM.com to demonstrate pentesting reports to customers while ensuring their own security. The continuous, round-the-clock testing by specialized experts, along with Intigriti's complementary triage service, helped prioritize and manage findings efficiently by first analyzing them to avoid duplicates.

These combined components allowed CM.com's cybersecurity to rapidly evolve, meeting the expectations of the team and their customers.

The implementation of crowdsourced cybersecurity at CM.com has resulted in enhanced customer trust and increased internal expertise. Intigriti's bug bounty platform plays a crucial role in CM.com's security program, offering valuable challenges and insights.

• The continuous security testing provides essential information and ongoing learning opportunities for CM.com's security and development teams. The reports generated from this process offer developers clear explanations of vulnerabilities, including how to identify and resolve them. This approach helps the team learn from each experience and avoid repeating past mistakes.

• Satisfaction: client expectations and internal requirements at CM.com were met. The bug bounty program is considered a significant enhancement to their overall security strategy. It demonstrates the company's commitment to protecting both customer and internal data, which is a key expectation from their clientele.