How CM.com matches rapid business growth with improved cybersecurity through bug bounty programs
The challenge
For CM.com’s global portfolio of business clients, the privacy and security of their customer data are primary concerns. While the Dutch software developer is enhancing user engagement and experience through its innovative platform, its internal security teams also do everything they can to keep their client’s data safe. As part of its security strategy, CM.com regularly sends reports to its clients. Sándor Incze, CISO at CM.com, explains how delivering security information based solely on penetration tests (pentests), however, can give an incomplete picture of the levels of cybersecurity his team is providing.
Relying on pentests to ensure the quality of CM.com’s security posture presented a two-pronged problem:
Internally, the pentests didn’t provide frequent enough testing to match the rapid evolution of the platform.
They were potentially giving customers a less than accurate picture of the quality of security CM.com was providing.
What’s safe today may not be safe tomorrow, but at least we are trying to do our best, and we show to our customers that we absolutely do our best to keep the platform safe.
Sándor Incze
CISOThe solution
CM.com sought a solution to enhance their security and discovered that bug bounty programs could meet their needs. They turned to Intigriti, the leading European-based bug bounty platform.
Approach: creating a strategy to ensure CM.com's safety, starting with a small, private Intigriti community, gradually gaining confidence and expanding. The ability to integrate both private and public bug bounty programs incrementally was a major advantage, along with the transparency offered by Intigriti.
Transparency: the platform provided unique and traceable IDs for each hacker, giving up-to-date insights on testing activities as the bug bounty program progressed.
Improvement: the bug bounty program also addressed several shortcomings of relying solely on pentests. Intigriti's platform featured security testing experts with diverse specializations, allowing CM.com to demonstrate pentesting reports to customers while ensuring their own security. The continuous, round-the-clock testing by specialized experts, along with Intigriti's complementary triage service, helped prioritize and manage findings efficiently by first analyzing them to avoid duplicates.
These combined components allowed CM.com's cybersecurity to rapidly evolve, meeting the expectations of the team and their customers.
The incredible triage team at lntigriti may not be listed as a feature, but they are certainly our favorite aspect. Numerous times, after assessing a researcher's submission, I've turned to the internal chat with a question, only to discover that the team had already proactively addressed my concerns without me even asking.
Sándor Incze
CISOThe result
The implementation of crowdsourced cybersecurity at CM.com has resulted in enhanced customer trust and increased internal expertise. Intigriti's bug bounty platform plays a crucial role in CM.com's security program, offering valuable challenges and insights.
The continuous security testing provides essential information and ongoing learning opportunities for CM.com's security and development teams. The reports generated from this process offer developers clear explanations of vulnerabilities, including how to identify and resolve them. This approach helps the team learn from each experience and avoid repeating past mistakes.
Satisfaction: client expectations and internal requirements at CM.com were met. The bug bounty program is considered a significant enhancement to their overall security strategy. It demonstrates the company's commitment to protecting both customer and internal data, which is a key expectation from their clientele.
Intigriti’s bug bounty platform is part of the complete security program that we have at CM.com. The security researcher community really challenges us.
Sándor Incze
CISOCM.com
CM.com is a global leader in cloud software for conversational commerce. Its story began in 1999 with the sending of SMS messages to update nightclub and festival visitors. Innovation and ambition soon kickstarted a fast-growing company that today enables businesses across the planet to deliver superior customer experiences through CM.com’s communications and payments platform. Part of the company’s mission is to “contribute to furthering technologies that benefit society.”
Countries
37
Employees
1,000+
Founded
Netherlands
Request a demo!
"Our security director has a simple rule of thumb. He says $1 spent in bug bounty is between $10 and $100 later - and I completely agree with him."
Ioana Piroska,
Visma Security Engineer & Bug Bounty Program Manager