This blog originally appeared on the Huntress blog.
Real talk: the MSP vendor community needs to get its shit together.
Small and midsize businesses—which represent more than 99% of the organizations in the US and are the cornerstone of our economy—are depending on us to protect them from today’s determined cybercriminals and nation-state actors. But we’re not doing enough to help them.
2021 was a year filled with high-profile attacks and vulnerability disclosures within the SMB and MSP communities. That’s because attackers know most small businesses struggle to defend themselves and that MSPs act as gatekeepers to dozens if not hundreds of SMBs.
At Huntress, we spend a lot of time tracking, analyzing and trying to help the community navigate through these incidents—some examples are below:
Vulnerabilities and Information Disclosure in Crewhu Survey Software
Hackers Exploit Billing Software BillQuick to Deploy Ransomware
Ransomware Deployed via Kaseya VSA in Supply Chain Attack
Zero-Day Vulnerabilities in Event Management Platforms
As we head into 2022 and look toward the future, we’re putting our money where our mouth is to try and accomplish a few things:
Destigmatize and celebrate vendors who are transparent about security incidents and blindspots and who share the work they’re doing behind the scenes to strengthen their platforms
Enable IT professionals to increase their cyber knowledge and chops—by hosting our own training events, covering attendee costs for other trainings and programs and more
Establish incentives for members of the MSP and SMB communities to spend more time testing, breaking, and pwning the tools they use so vendors can find and fix issues faster and improve code quality
To be clear: we’re not here to shame anybody. We’re here to acknowledge that unless we come together and hold ourselves to a higher standard, this problem is going to get worse before it gets better. And we’re holding ourselves to that higher standard too.
We were super fortunate to raise a $40M Series B last year—and we’re excited to begin investing that money in ways that’ll enable different types of organizations to better secure and support the 99%.
To start, we’re making a $100,000 contribution to the Dutch Institute for Vulnerability Disclosure (DIVD). DIVD is a volunteer-led organization with a team of highly skilled security researchers who analyze threats and report vulnerabilities globally; they played an important role in a number of high-profile incidents over the last year. To proceed in an ethically and legally just way, DIVD has developed this Code of Conduct.
That $100,000 is being used in two ways:
$50,000 will support DIVD’s continued growth, enabling the group to hire its first full-time staff and do more of the awesome work they’re already doing
$50,000 will be used to start a DIVD-led bug bounty program to create a financial incentive for individuals to effectively disclose vulnerabilities and discoveries specific to MSP and SMB IT tools
We’re excited about these opportunities and look forward to continuing to invest in programs that help elevate SMBs above the cybersecurity poverty line.
But here’s the kicker: we need others to join in, too. Working together as vendors and community members will allow us to make a much bigger impact than if we stay in silos or get stretched too thin across just a few key initiatives. So, we’re putting an open call out for anyone interested in joining us to please reach out and get in touch:
You can reach Huntress here
You can learn more about the bug bounty program here
You can contact DIVD directly about the bounty program at email@example.com
As long as hackers keep hacking, we’ll keep hunting—and we hope you’ll join us as we work to deliver greater security to the 99% of businesses that need it most.