Skip to main content
Right of Boom
January 30, 2025

Huntress Donates $100,000 to DIVD Bug Bounty Program to Elevate SMB Cybersecurity

In this video, Wes and Jason discuss the importance of vulnerability disclosure programs and bug bounty initiatives in enhancing cybersecurity for MSPs and vendors. They explore the challenges and ethical considerations of responsible disclosure, highlighting the critical role of community involvement in identifying and addressing vulnerabilities. As the conversation unfolds, insights are shared on how insurance and legal frameworks could further influence cybersecurity practices and vendor accountability.<ul><li>The webinar discussed the importance of vulnerability disclosure programs (VDPs) and bug bounties in improving cybersecurity, especially for MSPs.</li><li>There was a focus on the role of cyber insurance in shaping security practices and the potential for insurers to require certain security measures.</li><li>The discussion highlighted the need for transparency and responsible disclosure in handling vulnerabilities, as well as the potential legal risks involved.</li></ul>

Guests

Andrew Morgan

Video Transcript

Hey everybody, welcome to the cyber call number 79. Wes. That's crazy. Nine. That's crazy. Yeah, it is, it is. Well, um, we have, it's kind of, um, VJA de Kyle or Deja vu bringing you back here, green screen and all. Welcome. And it's good to see You. You, I do appreciate that. And green screen, you know, for all the, you know, the attendees, right? Grab your screenshot now so you can put your favorite, uh, terrible images behind me. I'm sure that'll go over. Great. Yeah. Fantastic, Jason.

Good to see you as always. We'll do formal intros momentarily. The beard is looking very bushy these days. Yeah, I, I need to get it TriMed, but I have Covid so I can't Ah, well that's kind of, I mean, scissors, right? That'll Do it. Yeah, We'll send Wess up there. Yeah, Yeah, I got you. Wes is immune, I think. Wes, yeah, you've had it like what, five times? I think three. Yeah. What fun. Alright. Alright, so we'll get right on into it. Just a few things.

Um, write a boom is in the, uh, uh, call to action below the, all the pictures. We are, gosh, I I mean the hotel is nearly packed booked. Um, I don't know if we have any hotel rooms left. I you don't try to get, you don't. Okay, thanks Jason. Um, it's, um, the Black Hills pre-day got sold out in like eight days. Um, we're coming, you know, so if you want to be around your friends, your peers, many of 'em on this, uh, event, I hope you guys will join us.

Um, I'm working on another block as well, hotel walk, so you can, we can all be, uh, be together. Um, alright, so let me set the stage here. Um, Kyle and Hunter have been, uh, vocal as everybody knows throughout 2021 on, you know, the vulnerabilities, the supply chain attacks, uh, et cetera. And, um, last week they announced a hundred thousand dollars, um, v vulnerability bug, a bug bounty program.

I'll let Kyle certainly talk about it more succinctly than I'm doing at the moment, but, um, felt it was newsworthy and it felt it was important to, uh, for all of us out there on the channel to understand what the initiative is about. Um, and, uh, uh, yeah, so I did put up a poll, um, and I put that up as I was thinking about Jason Slagel because, um, somebody that is actively involved and looking at the tools he's using and, you know, poking around them on a continuous basis.

So, um, in setting the stage right, we had, you know, 2021, lots of supply chain attacks. Um, you know, Wess, um, you know, all the way back when you started the Perch, um, uh, annual report, um, Buffalo jumps were something that you've been, you know, focused in on prior to them getting big. We saw a lot more of that as well as the supply chain attacks. And, um, we saw in the latter half of the year, um, a lot of, uh, can, you know, non-renewals, you will of cyber carriers for MSPs.

Uh, we see premiums going through the roof. We see coverage going down and those are the thematics as we head into 2022. So before we get into it and I turn it over to Wes, Kyle, welcome back, one of the originals of the cyber call. And, uh, it's good to see you again for those out there, I can't imagine that don't know you, but if there is one or two, uh, share a little about yourself. Yeah, so stoked to be back.

I think it's probably been, uh, you know, maybe 30, 40 episodes or something have gone by since I've, uh, last, uh, graced the cyber call group. But I'm stoked to see that the number of participants keep going up. I continue to refer people over this direction and I think it's a really simple, uh, investment of your time each week to come on over. So glad to be able to play a little part of that.

Uh, I did also hear for those in chat, I heard that Darth Vader vibe, so I'm not sure if that's Omicron Vader over there from, uh, Jason or what, but, uh, I'll, uh, I'll add to it with a little bit of a SMR and thanks everybody for having me here. That's good to have you, Kyle, Jason, um, again, most people know you, but for those that don't, who are you who see that NWR? And welcome to the show again. Yeah, pretty sure it's my mic. Uh, COVID, it's got me like a little winded, more than normal.

So, uh, I am, uh, Jason Segel, uh, president now of CWR. Uh, we're in MSP in the Toledo, Ohio area. I've been doing this for quite some time. Do try to take a security focus, do try to poke at various tools. Uh, so I care very much about this 'cause uh, at some point or another, uh, somebody's gonna come swinging at me and I, I'd rather that that not happen. So I care, I care to be able to do this without getting potential lawsuits Lawsuit. Um, and who is the real Jason Slagel there?

Yeah, I was Just gonna say, Jason, if you can't, uh, if your words fail, you I'll, I'll fill in for you. I gotcha. Nice. You Know, I, did you see that scowl there, Andrew? Um, you know, where did that badge come from? I, I gave it to him. It did come from anywhere. I have his somewhere. Uh, it's at work, I think. Yeah. All right, fair enough. So Wes, um, why don't I let you jump on in here and start off with the questions and we'll get right on into It. Yeah, right on.

So Kyle, read the press release. Super cool. What was happening? Uh, let's, let's set the stage for us, Kyle, if you would, like, why Hunters was compelled to do this, what led to it, and even if you would, Kyle, just kind of talk about what you've seen in the landscape the past year that's really kind of got your gears going with, with, uh, with this release. Yeah, I tried to not give away too much with my introduction. Uh, those of you don't know.

I spent quite a bit of time in the intelligence community prior to Hunts, which nowadays it feels like a lifetime ago. As you know, six years ago was the last time I was at NSA full-time. Uh, with that said, I definitely created a lot of exploits, found a lot of vulnerable software, and back then it was for gathering and intel. Uh, rewind to 2021, which I think we had a great introduction earlier of saying the supply chain conversations just over and over and over.

We saw whether it was attackers using certain systems to gather, maybe like targeting data, just who to fish. Um, obviously some of the big, uh, head headline busters there were the RMM compromises. You know, say it got ru uh, ripped pretty hard with theirs. And, uh, there was a lot that happened behind the scene. I think Jason probably came on here once or twice, shared some of those details.

But at any given month, I would say I would see probably four to six critical vulnerabilities in MSP and just generally SMB it stacks. So, um, a lot of tax service, sometimes abused, to be honest, most of the time not abused because of people finding these vulnerabilities, patching them, uh, vendors sometimes coming out there and transparently saying they were patched. Sometimes they would just say it was an update that came out the door.

But regardless, the important part is the bugs were getting fixed. And that was a big win for me instead of just talking about the losses of like, yeah, there were some people that had their RMMs used against them, but overall I'm glass half full in 2021. And the inspiration overall was when we were in Kaseya, right?

When Kaseya really had their rough time and VSA was exploited, uh, it became aware to us that those bugs or some of those bugs were found ahead of time and they had not been patched promptly. And so I thought, ooh, I should probably get to know this team who found the bugs that was DIVD or the Dutch Institute for Vulnerability Disclosure. Um, they do work in close cooperation with the Dutch government. They've since been formally sponsored by the Dutch government.

I think they've got about three or four more years of funding. And when we saw all that going down, we thought, you know, hunters raised about $40 million in Series B instead of us creating like our own bug bounty and it being this weird like vendor on vendor thing, why don't we help an independent party just like how the cyber call or cyber nation has their own independent party, you know, that, uh, is just there to benefit the community.

So we threw a hundred thousand dollars to, you know, twofold, 50% of it. We wanted DIV to have some full-time people that could actually work on this program. The other $50,000 is anybody in the community can submit roughly for any vendor and say, Hey, I found a bug and I wanna be able to, uh, make some cash off of it. Which for us, that's a pretty cool, uh, stepping stone. Yeah. Heck yeah, it is. Uh, for sure. And so, um, the announcement just came out recently, right?

But what's been happening with it so far? Give us a catch up on, um, post announcement. What's been going on? Yeah, so we actually made the donation of a hundred thousand dollars back in December. It was a little bit crazy, um, and we tried to take some holiday, which, you know, hackers didn't. But, um, the whole argument behind it was it was never meant to be a acute one vendor thing, right? It is not just a hunter's thing. It should be a community thing.

And so behind the scenes we've been working with a whole bunch of vendors saying, Hey, this doesn't need to just be, you know, our headline or a community's headline, you should take part in this. Some of that part means make a, you know, a cash contribution. Some vendors are just too darn small to be able to afford, you know, 50 a hundred K.

So their contributions sometimes look like maybe the establishment of their own vulnerability disclosure program, meaning like their obligation saying, no, we're not gonna sue your pants off if you find a vulnerability in our software. Um, so that a lot of those, and to be honest, I think we've got something like seven or eight vendors who've already committed.

And I think we've got probably about a half dozen other vendors that are saying, as long as this, you know, i's are dotted, t's are crossed and this money isn't going to like Kyle's slush fund, uh, we're happy to support an independent, uh, you know, bug bounty administrator for the community. So I'm really excited. Yeah. And, uh, I, I want go off script for just a second and say Jason to you. Um, it's gotta feel good, right?

Like here you are as an MSP representing all the people that are on the call today, being caught in the cross airs for all these years. Um, and I'm sure you feel like it's sometimes all you can do is bark, right? Yeah. So put some bite into it, doesn't it? Tell me about how that, just like how has that resonated with you as an MSB? Yeah, I mean, I obviously have been pretty vocal in our space about, you know, the importance of VDP bounty programs and other things.

So when I first heard that they might do this, I got super excited and I think it will make everybody better, right? I think it, it has a potential of funding up and incomer security researchers, you know, after John Strands thing, I had a bunch of 'em reach out to me looking to get into the field, right? Like, it, it, it gives them an opportunity to poke at our stacks and make a little bit of money on the side doing it and make us safer. I love it. I love it. Um, let's see.

So Kyle, talk to us more about divid themselves. Like what do they like to work with, um, and like what do they have going on? And maybe even if you would like, can MSPs get involved with them in, in any form or fashion? Yeah, so that was one piece that we realized that vendors had a place to play in. But we really, like, let's be real, there's a handful of vendors compared to the number of community members that are either MSPs, MSPs or something in between, right?

Printer, copier dealership nowadays calling themselves a var regardless of how large the community was. Uh, DIVD, our very first introduction with them was right after we had called, uh, Kaseya. We had let them know about the issue we had been putting out and giving some remediation, but this was like real hot in the middle of it. And they made time and said, Hey, we want to give you a rundown of what we know of. And we kind of swapped stories.

'cause this is when our team, you know, Caleb and John Hammond were recreating the exploit trying to say, is this truly remote code execution? 'cause in that first like 24 hours, there really wasn't a lot of information for anybody. And so DIVD shared what they knew with us. We shared what we had discovered on our own, and the combination we were able to create an exploit that was working and validate.

And so working with that team, we discovered that they already had an established like, code of ethics. They already had like, you know, quite a transparent way of going about it without ever like, sacrificing privacy, which turns out if you spend a whole career at NSA, you start, uh, appreciating your own privacy a little bit better, uh, you know, weird byproduct. And what was needed is, so after that event we were like, Hey, we gotta work, even if it's just sharing threat intel.

And they found bugs in all kinds of software. If any of you haven't seen like, uh, they, they maintain its public and we're talking about from, you know, some of the Kase products, but others are like SolarWinds and a handful of others that we're aware of.

Um, and then they disclose it, it's public meaning like after it's responsibly patched, it follows responsible disclosure, meaning like, yes, hackers could technically leverage some of that data, but to be honest, they're already leveraging some of that when it gets patched. You know, hackers are reverse engineering the patch on there. So that was that initial ethics West that made me realize like, okay, these folks are legit, they don't have it.

And they're really an all volunteer organization. Some of them come from defense, some of them come from offense. And when I talked to them, they said, Hey, we're doing this right now for a lot of Europe and a lot of, you know, obviously, uh, you can imagine Netherlands, but they wanted bigger ambitions. And so we were, we were that first a hundred k. And then with that a hundred k followed a couple hundred thousand more from their government.

And like we mentioned, I think, you know, 12 more vendors is what I just got the update through together about $75,000 more. So it's, it's going, this is a good start. And then you ask that question, any chance maybe we can throw it to, you know, Jason, since I've been rambling, like partners can play a big role in this. When we proposed to DIVD, again, it's not our program, it's, we supported somebody else's, but we said you need to include the partners.

And there's a lot of really sharp people. I noticed David Ellis that's out there in the crowd right now, he's run, you know, uh, assessment programs found bugs on, on his own, but, uh, any chance we can throw it to him so it's not just me taking over. Yeah, let's do it. Um, so, so Jason, um, one question I wanna hear from you is maybe answer that, that part of that question I threw to Kyle. Um, how do you see other, like MSPs are listening today and they're like, this sounds cool.

How can I get involved with it? Are there, are there ways that people today on this call can get involved with what, um, DVIDS doing? Or is it much more just, um, the mission of being involved in vulnerability, disclosure, disclosure as a whole? What do you think? I dunno, I, I would encourage MSPs to be curious, right?

Like, if you, if you start coming across something and your platforms that you use that just doesn't quite seem right, you know, poke into it and then if it looks like it could be something, just submit it, right? Like the, the, one of the cool things out of this that I think could come out of this would be MSP submitting bugs in their own vendor stacks to DIVD making a little bit of money and doing it, and then that gets it fixed for everyone else.

So, I mean, the skills, a lot of these things that are discovered are pretty blatant. They're, they're not huge. They don't require, uh, a lot of things being found now don't require huge giant investments and skill sets to learn, right? So, you know, do a couple CTFs and start poking at the tools that are out there and, and see if you can find something and submit it. Okay. Hey, we, yeah, Can I have a quick question to, to Jason?

Jason should, like, what's the proper from your perspective protocol? Like, if I think I see something in a ven one of my vendor, um, my, my stack, should it go to the vendor first? Should it go to D-I-V-D-D-D-I-D? Like if a vendor has a vulnerability disclosure program, like do you give them a chance? What, what, yeah, what's your, and what's your opinion here?

I mean, I, I'm curious Kyle's thoughts on this, but if a, if a vendor has a program in place, I would submit it via the vendor's program, right? Think I I think that's absolutely the way to go, too, Jason, if if they've got a program, why not use their program? They're asking for it, especially if they don't have any, you know, sometimes they have a program, but it comes with like a heavy NDA, um, and to be honest, most security researchers wanna get a chance to publish their research.

So, uh, but I would always say go to a vendor first. And really the reason that a program like this has to exist is most vendors in the channel don't have A-A-V-D-P or vulnerability disclosure program. Yeah.

And I think that this is, uh, it, I, to my understanding, it's it's gonna have some money in place that even if you were to submit via VDP, you could still submit it to DVD, get a little bit of bounty on it if the vendor doesn't have a bounty in place, and then they would deal with publishing, right? So it really only stops the ones that have, uh, a heavy NDA in place, even on their VDP process. And the VDS with NDAs are weird, right?

Like, there's, there's only a couple vendors in our space that I know have one on the VDP, A lot of 'em, but there's several that have it on the bug bounty, but the ones that have it on the VDP are kind of a minimum minimum. Wes, can I do a follow up real quick? Yeah, please. Yeah.

So like, and again, maybe Jason to you first, and then Kyle, like you're, he, you know, I've, you know, in talking to guys like Dana pp who, you know, for those of that don't know Dana, Dana was probably one of the earliest, uh, just awesome people that built a company called Scorpion, um, off Anil, uh, which got bought by Kaseya like early, early on on multifactor authentication, um, who's now just, he's a phenomenal red teamer.

Um, but he was talking, Jason, even the big companies like the Microsofts of the world that used to pay big bounties or even pulling the, the those down in terms of size and scale are, are you seeing that? And, and if so, what, what do you feel that's gonna do if, you know, in terms of, you know, researchers getting notoriety and publishing, and are they gonna look to alternative mechanisms to, for that notoriety, if you will? Uh, so I haven't followed that.

So you're saying Microsoft is starting to pull down some of their bounty stuff, uh, Way down in terms of the amounts. Oh, okay. So it's just the amounts that are coming down. Uh, I don't, I don't know. I mean, there's a lot of up and coming researchers, right? Like, again, I, I made reference to, I sat through when you ran that, uh, when you ran that thing with John Strand, that first class you did the sock skills.

I sat in the Discord all week, and you know, I came in and out of the video, I had two guys attend it. But there were a lot of really hungry people there that seemed pretty sharp, that seemed to know what they wanted to do, right? And the problem is, there's hundreds of those, and they're all submitting resumes that all look exactly the same. Like the only experience they have are the, is this class, right? So they get tossed immediately, right? Because you can't sort through that many resumes.

How can you make your resume different, go find some bugs and publish, right? Like, that's a huge way to say like, Hey, I'm actually quite good at this. And so the, the, the money's coming down maybe at some of the big vendors, right? But we, we still have this need, right? Like there that, that may drive some of those people to our space more, right? Our bounties in the, in the grand scheme of things, the bounties paid by any of the vendors in the channel, they're ridiculously low, right?

I think the highest I know of, go ahead, Kyle. Sorry, I, I, I just wanted to ask Wes, since he's, you know, career CISO obviously got real skills, I, when I see somebody with a CVE in their name, obviously ethics matter too, of how they handled it. But is that attractive to you as like, on the hiring front? Absolutely. And it's rare to find those people, right? Like usually they're the ones that are, they find the jobs they want to go work at. You're exactly right.

It's, it's in a can maybe Kyle to, like, when I hire a dev, first thing I ask him is, what's your GitHub? Like, it's, it's an equivalent to that of, of course this is much more rare in unicorn, but, uh, a hundred percent agree with you both. Yeah. Hey, so Keith has a good question. Keith Nelson, um, long time in the channel, um, he, he says, how do we separate legitimate reviews, uh, and vulnerability dis you know, discovery from the noise that we hear, et cetera.

Second, how do we separate knowledge and reliable sources, sources like this panel? Thank, thanks for that Keith, uh, from Pretenders, I think it's important for the industry. Jason, thoughts on that? And maybe go to Kyle. Yeah. This is hard, right? And, and I, I, until I started getting involved in this, I didn't, hadn't really actually seen this, but apparently there is a huge, huge group of people that just drive around the web looking for like WordPress sites with inactive plugins.

And they send you a bug report saying, Hey, pay me a bounty. I found a 500, pay me $500. I found a bug in your WordPress, but it's just some plugin that you didn't update. I think those make everyone look bad, right? Like, and so I think that it has to be more than a novel attack, right? So it basically, to me, it has to rise to the level of, uh, maybe it's a third. Is it actually exploitable, right?

Is is we have the concept of like low, medium, high, critical, and we can pay differently on all of them. So maybe at the low level you get a T-shirt or something, right? Like it, uh, and then anything higher you scale up from there. I dunno, it's, it's a hard problem to solve for Kyle. You might have other thoughts.

Uh, you know, I, I generally, I we're on the receiving end of a lot of folks who just ran like open va, you know, some basic scanner and then they submit like, Hey, this says this header's wrong, pay me $500. And that's, to be honest, that's a lot of noise. One of the benefits of having some bit of a central, you know, a, a group that has some authority, like A-D-I-V-D could have been a CompTIA iso, could have been any of them, could be cyber call. Let's be real.

Um, having somebody that comes to you has some authority weeds from the signal and noise, right? Because I hear noise all day. So I really like the idea of having that piece. Um, the audience also called out two other, like their subtleties, but they're really important. One of them was Dustin and said, what if you have a problem where they do have a vulnerability disclosure program, but you just don't feel comfortable using it?

Maybe it requires you to sign a heavy handed NDA maybe, to be honest, sometimes they just come with like oddities, like, you don't really know if this time you're gonna get okay with it, or this time you're gonna get like maybe a cease and desist. Big vendors like Ciscos and Salesforce have done this to presenters at Black Hat for Defcon for years. Yeah. We're talking like 20 years of history in case anybody's not tracking.

So having a party that's third party that's able to come through and say, Hey, this was disclosed to us and be able to help protect, that's an extra benefit too. And that happens twofold. One, again, in case there's an alternative. You weren't comfortable with the VDP, you can do it, but Joe Clap and his team, um, you know, they called out, you know, some of us just don't care much about the money, but more about not getting sued. And that's real.

Like, I've had myself like at Hunts, so it's not like I'm taking, giving old stories. While at Hunts I've had probably three run-ins with major MSP vendors, legal teams that we've had to actually represent both ourselves. And to be honest, we've been on the receiving end of a lot of bugs where vendors just said, or, uh, partners said, Hey, I, I, I can't afford even like, you know, a lawsuit and it's just little old me. Can you submit this on my behalf?

So thankfully this gets a little bit of like huntress as a vendor, on vendor out of the way and gets more of a true independent, uh, to handle some of these. So Kyle, can you define like heavy handed NDA, like give give us an example or two what that means, because I'm not sure everybody out there might know what, what that is. Yeah, so a good example of heavy handed NDA and I'll refer to both heavy handed NDA and heavy handed, like legal response.

We have flat out had a lawsuit threatened to us that is pretty serious. That would be obvious, uh, heavy handed. But when it comes to the NDA, sometimes most solid programs will say, if you agree to participate with this vulnerability disclosure program, you are gonna be able to claim, but you gotta stay silent on us to let us do it long enough to do responsible disclosure. This is going to be, usually it's one of three things. If this is actively exploiting, we're gonna give them seven days.

That's very rare. And that follows a standard Google set. The more common one is we're gonna give this vendor up to 90 days to fix it, and the sooner of 90 days or the vendor fixes it, plus usually a 30 day buffer, meaning it's been patched and now we're gonna give people 30 days to patch, then you could talk about it. That's very normal. Mm-Hmm. However, we're in like a little bit of an old school, kind of 10 years behind modern security, maybe even a little longer.

And Wes, I mean, you, you've probably even heard of 'em just like the, as we picked on Cisco and in Salesforce. I mean, it's probably not crazy to think that there's probably more of these NDAs out there. Like, and I don't think it's even worth like bashing. I can't even think of vendors that have some of these per se. Yeah, Yeah. But I know they exist and I see Jason smiling 'cause we, we had actually talked about one, but I I can, yeah, I could think of several.

So, uh, I I I'm being good on this call. Uh, Wes may or may not work for one of them, May or may not. Yes. Uh, no. And I'm aware of it, right? And it, it, it eliminates, I mean, I think we can all agree they eliminate your capability to have the freedom to do what's right, uh, should you need to have that card that exists, right? And, uh, I, yeah, I remember Jason when I was a kid, you know how like in schools you have all these motivational posters everywhere.

There's one I've always remembered and it's this, it says something like, stand up for what's right even if you're standing alone. That's like always stuck with me in life. And I think a lot of that comes part and parcel to what we're talking about today, is there's, Kyle mentioned this a little bit, but Jason wants you to elaborate more. There's a little bit of a whistle whistleblower element that sometimes exists with this stuff.

And here you sit as an MSP finding something big that needs to be disclosed. And NDAs can certainly harm that, or, or cer legal motions can certainly harm that, right? Yeah. I mean, I have a case just recently that, uh, of a vendor who I'm not gonna name, who I was poking around and found some stuff, I submitted it to 'em, and then I start hearing through back channels that, you know, they're, if this costs them business, they're gonna sue. And I'm like, really? Like that?

That's the wrong, first of all, I, I'd win, right? I stayed, I didn't do, I didn't cross any lines, right? But when you have to defend, you lose all the time, right? And so I, I care a lot about, uh, about this piece of it, right? And I think that sometimes I get pigeonholed, uh, with like, oh, you just want the sky to fall and the, and the world to end. I, i we call my chaotic good in several places.

And yeah, I don't mind a little bit of chaos, but the reality of it is, is that I want cha a chance for these things to get fixed. But on the other side of it, I want to know that I may have been vulnerable to something, especially if I'm running on-prem, right? Like the, the one of the programs I'm in, there's three dozen, uh, resolved vulnerabilities and based on the total amount they've paid out, at least half of them are all critical. And I only know about like three of them, right?

So here we've got potentially 12 other critical vulnerabilities that I literally know nothing about. Was I vulnerable to these things? Like what, how do I find out about them? Mm-Hmm. So you bring up the other side of the coin, Jason, that some would say, Hey, you know, we know responsible quote unquote responsible Vulner vulnerability disclosure looks like some might say that, Hey, I I'm a I I'm the vendor. I paid you, I fixed it.

You know, we, you know, like the, the Microsoft issue, like when, when we all of a sudden told the world about the Microsoft issue, the exchange, now all of a sudden the researchers are, all the black hats are certainly, they're poking around finding other stuffs. Is there the other side of the coin and is the legitimate argument that you are opening up Pandora's Box? I, I mean, I think that's the equivalent of an MSP running RDPN port 3 3 90, right?

Like, just because it, it doesn't, uh, yeah, maybe we draw a little bit of attention to it, right? But do those bugs not exist if no one knows about them? But the, the target on MSP's backs, especially if you run an agent as system is so large and the payout is so huge that I think it's really, really naive to think that there aren't already black cast security researchers poking at some of these tools. Well, I mean, you see them on, unlike the dark web forums.

I don't, I don't even think you have to like, say naive. Like there's, I can think of two or three where they literally are talking about how to get into free trials or cases where we've seen attacking infrastructure come off of the free trial infrastructure. So, Um, yeah. I mean, you see that all over, right? Where it, yeah, uh, uh, it's, it's not, it's not awesome, right? And, and so yeah, I mean, I get it.

I get the, well, no one wants to put like a giant target on their back, but, you know, I'd rather, I'd actually honestly rather incentivize up and coming security researchers and white hats and people like me to come in and poke these things than just pretend they don't exist. Bury your head in the sand and then just wait essentially for some black hat to finally come across it and 'cause they're not gonna tell anyone. And we're gonna find out about it on a really bad day. Mm-Hmm.

I don't know if you, you gent know this and it's, you know, I, but there is, you know, quite a bit of, you know, a lot of security researchers tend to agree with kind of what I think has been represented on the panel so far. I just wanna make sure the audience knows.

Uh, and there's by the way, been all kinds of drama in this, believe it or not, Google's own security researchers and Project Zero once called out Google Large because they were only permitted to kind of test external software instead of their own Android software. So that's a good example of like the vendors themselves could have their own security researchers that disagree. And I just ask the audience to keep that in mind.

But the point I was going on here is, there is another side of this coin where some people believe vulnerability should stay quiet. If you find a vulnerability in a, a plane or something like that, maybe you shouldn't share that because it could be exploited. And I tend to be of the type that if the only people who know about it are the people who are going to abuse it, that's kind of like the, you know, with great power comes great responsibility.

And to be honest, if you're only leaving the criminals with a great power that, like, that to me doesn't sit right. But I think it's worth representing that some people disagree with. I mean, our a hundred thousand dollars contribution, I've got one or two already that vendors said, I would never partake in this. I'm not a fan. And to be honest, that's, that's their right. Yeah.

And I appreciate that, Kyle, that you're, you are open to hearing all sides 'cause because I think that's part of this whole thing and, and we're gonna hear different, you know, different sides of the equation. Wes, I, a bunch of your Questions I to, I mean, you're making me think, Kyle. Um, I think you're right. Like I think if Chris Roberts were on the call, you mentioned the airplane thing that really got my mind going right?

He's, no, he's, his notoriety came because he found something and disclosed it while he was on the plane and they, they were there to throw him in cuffs as soon as he got off. Uh, what a wild world. Um, and I think Chris, I don't wanna put words in his mouth, but I think if he were on here today, he would say, guys, what I was doing was not really that complex.

And so I think his argument would be if I didn't do it and say something about it, and, you know, even God forbid, had I never disclosed it, it wouldn't be hard for someone else to do the same thing with nefarious intention. Um, I wonder, and, and Jason I'll start with you. Do you, do you think that, um, board level and and like shareholder mentality over vulnerabilities and disclosures is slowly starting to change that they're looking at it less like a threat?

Or are we still mired in this whole like, oh no, we must hide these things 'cause what happens to our shareholder price? Should something happen? What do you guys think? Uh, I, I think it's a double-edged sword, right? Like, I think that, you know, maybe when there's a vulnerability release, there's some negative connectivity and maybe it hits share price. But I think that there's been enough really bad things that have come out recently that have very negatively impacted share price.

That if you can come out and say like, Hey, we had these problems and we fixed them before we were exchange or log for J or something like that, uh, there's something to be gained for that. So I think it's probably starting to come around a little bit. Didn't What Jason?

Isn't, didn't that happen if my memory wasn't ubiquity where they didn't a allow it to come out and then a bunch of exploits happened afterwards and their, their shares got hammered, um, last year, I don't know if there had been any in chat. There's Been many of these that have happened. Several.

I don't, yeah, I don't recall if it's just ubiquity, but I remember, I mean, anybody old enough to remember the weave case against at and t he was actually using a vulnerability to short stock and ended up going to jail. So there's like a 20 year history of this before any of this even came to the MSP world, right? I think the coolest part is we're now all getting to say what is our version of the story?

Are we gonna repeat the age old, you know, issues where the board just, you know, gets salty of These? Right? Right. It's just wild. I I just, I just take a pause for a minute. It's just wild. Like, I think back to, you know, 2016, Wes, when you and I kind of first met and we're just evaluating the overall maturity of the MSP from a security maturity where we are in 2022, it's staggering the, you know, evolution. Um, yeah.

Even though it's six years, it's, it's been pretty profound in six years. Uh, what are your thoughts? Yeah, well, I think you're right. And I think, uh, Kyle, you, you mentioned this a minute ago and you said like 10 years behind. I mean, I think the MSP space, both the vendors and just as a, as as a whole, we typically lag five to 10 years behind. Right? And there's a lot of reasons for that.

I'm not hating on anything or anybody, I'm just saying you look at the motions on where we're at and even the s and b demographic on what they're willing to do and think and say, and then finally coming under target, you know, these things are all relatively new for a lot of them. And, and so there is a bit of a lag that exists here. And, and that's okay. Like, I think we are moving the needle, uh, probably not fast enough, but I do think we're moving.

And that's Jason, I was curious what your thoughts were, uh, on that question. Yeah, it, it's, uh, I I think it's coming along right? Like, but I think that's also further, further mired by a problem of, uh, crazy evaluations in our space, right? So that's incentivized a bunch of people to go out and build something very quickly to a certain size and MRR just so they can flip it and sell it, right? So in that case, security is definitely not the first thing on their radar.

You know, as long as they can get it, build it and offload it before anything is found in it, then you know, what do they really care? And I think that's a really bad way to take it on it. And maybe I'm just cynical in saying that, but sometimes it certainly feels like that's the case. Yeah. Well just kind of, uh, what I heard on Friday, which kind of maybe typifies this in a very positive light is, um, not only is Phyllis Lee coming to write a boom now, and, uh, she's gonna present presenting.

Yeah, she is. But, um, one of their executives also is coming. So I think we are making a difference. And I think, you know, folks like, you know, Wes and Jason and Kyle and all the people that are on the cyber call week after week last week was John Merchant and Sunil Hughes, our keynote speaker, um, everybody's doing their part. So it's cool that we're, we're starting to be recognized and, and, you know, getting attention of major organizations.

Um, so, um, Jason, I, I had, I had some questions for you. Can, you know, not everybody out there understands bug bounties. Um, and we've heard VDP vulnerability, can you vulnerability disclose their programs? Can you give us a 1 0 1 version of what it is, just in case folks out there may not know what they are, why you got involved, um, et cetera? Yeah. So I'll start with, uh, vulnerability disclosure program, right? 'cause I think that's the base that all this stuff's built on, right?

So, uh, vulnerability disclosure program basically lays out, uh, how you take a vulnerability and report it to a company, right? So it'll lay out all of the pieces necessary to lay out what is in scope and what is outta scope, right? Like what you're allowed to do, how to report it, like what protections you have if you do report, right? Because sometimes there is a line, right? Like there, there's this, there's this line where you can walk up and say, okay, this is stuff open on the internet.

Like a certain amount of poking is expected, but sometimes to validate that you actually have a vulnerability, you come real close or you cross that line, right? So you cross into potentially the, uh, uh, you, you cross into the wrong side of the law line, right? Or essentially you're on an unauthorized computer, a access, right? So the VDP will, will typically shield you from action if you follow a given set of rules, right?

So there's, uh, there are a number of things that, you know, you typically would see in it. Again, like scope and stuff like that.

A bounty program will typically build on, on A VDP and a bounty program will basically lay out a set of rules and they say, if you submit something to us and follow these rules, and one of the biggest ones is disclosure and disclosure timelines and responsibly disclosing, then we will incentivize you and we'll pay you essentially, uh, for the work and the time you did. Right? And sometimes these are, these are long things, right? Like I, I own a couple of CBEs and automate, right?

And ConnectWise automate, and the, the total beginning to kill chain amount of time it took me to weaponize that it was 40 or 50 hours, right? So, you know, it, it's nice to get a little bit of money and a little bit of credit for the fact that your time's not necessarily free. Yeah. And you know, Jason, I think you're onto something like, uh, if you look at, um, c the CISA Act that was, that was pushed I think in 2016, something like that.

One of the notable things that was good about it was it defined protections that private industry can have when they're sharing intelligence, uh, through an ISAC as an intermediary. And that was the big thing that legal was so scared of is like, can we actually take these pieces of intelligence and share them? The federal government could get that they could subpoena us, and we're in a world of trouble, we're just not gonna share.

And so CISA designed those protections, and I, I think you're getting onto something, is that one thing that could help them move the needle as well is could we have legislation, uh, that does design protections around, uh, those that disclose? And I, I don't think we could have a more important time to talk about that than the, the, it was mentioned by somebody in chat, uh, what's happening in Missouri, right?

So the governor's, you know, allegedly going after this journalist that exposed some social security numbers that were in raw HGLI Wanna, I want get a, you need this, I want a custom key cap for my keyboard. So F 12 says hack, right? Like Yeah, I think, I think that'd be cool. Yeah. I mean, I think it's, I think it's important and I think that we need that, right?

We need, uh, we need protections around, uh, you know, if you're doing things in a white hit kinda way and ISAC have that protections, I'm not sure ISOs do, right? If they did, then we could potentially start to utilize the COP T one for some of this stuff. But, you know, in the meantime, it, it, we can, part of the reason I'm so excited about this DIVD thing is basically it provides a little bit of a layer of shelter to me if I go poking somebody that I think's gonna come swinging at me.

Yeah, agree. Uh, Kyle, what do you think, you think that would be helpful? Or is that just adding more misery to it, seeing legislation come out? No, I, I think it's, um, it's always a fine line on implementation. I think about how many things that we're benefited from like, you know, digital Millennium Copyright Act also versus like how many times that it, it caused trouble. Yeah. But I think as long as it's thoughtful, um, that protections at minimum would be nice.

Even if it came through some sort of sanctioning. If this, you know, maybe it's Mitre, maybe it's a handful of these things, that'd be nice because to be honest, there's a lot of gray area where you can sometimes stumble.

And when I say stumble, I mean some of these bugs that, you know, I personally have found here in the channel, they literally meant me going to the website and looking at either the source code or looking at, like, if you hit F 12 and you look at the dev tools of what's going back and forth, and sometimes credentials are just in there clear text.

And what's scary about that is, could you imagine if all you did was hit F 12, took a look at it and had, you know, that that opened you up to legality or, you know, issues of, of your legality of doing that? Ah, that, I mean, that that doesn't do anything to incentivize you to make the community better.

So I would be a fan, Wes, if there was some appropriate level of, you know, uh, immunity, uh, immunity or, you know, amnesty to saying, Hey, if you followed these and reported it this way, that'd be a nice step in the right direction. But I think it would come down to execution. Yeah, I agree. I agree.

Kyle, are you seeing more of MSPs asking for your BDP, like more about, you know, as the years progress and we're talking about maturity of the MSP and obviously more regulated, you know, as MSPs are maturing, they have more regulated customers, more third party audits. Are you seeing more requests For your Yeah, We, we've had cyber calls in the past that talk about, you know, hey, what does SOC two, what goes into it? What's the value?

We've obviously had cyber calls in the past that talk about other things. Do you have security audits, pen tests? Uh, the, probably the most exciting thing is I've had less people ask for, like, so two type one, type two. I mean, there's value in these things. Let's not, let's not like, you know, try to smear any of these. But some of the ones that they're usually should be asking for is, when was the last time you had a third party come and audit your code?

And not just asking, like, you gotta be very specific. There's a difference between an external scan, an internal, you know, vulnerability or pen test, you know, assessment and then truly an audit your source code. Those are kind of three levels, and we're not even really there, Andrew. So I would really say that fewer of the partners are asking to that level of precision. But I am getting people asking, do you have a pen test that you've recently done? Are you gonna, you know, can I see it?

And so for us, a lot of times, like when you share these things, they, they're, you know, marred by an an NDA saying, yes, but you gotta sign this NDA. We're trying to also push that balance for ourselves. We actually made a repo recently on GitHub where we're going to start publishing all of our third party code, uh, tests, all of our audits and just to be able to help reassure people.

So I don't think we're quite there, Andrew, but like the most operationally mature, usually folks that have like a security team, they'll ask Mm-Hmm. Um, or even renewal, they'll just say, Hey, we know you lead this stuff, but can we see it?

And it just, you know, it helps you sleep a little bit better to know that like, okay, there's some bar, it doesn't mean there's no bugs, but it means there's some sort of a bar and, uh, you know, I'd like to see that more because I personally would feel better being able to recommend, like a lot of people ask me to recommend an RMM, well if I knew nothing about the code, but I could say, Ooh, this team over here who's known to do good audits is looking at their code, Veracode, Bishop Fox, I don't care whoever it is, looking at your pen thing, you know, it could be, you know, somebody like, uh, you know, the unveil team that was in here.

You know, I feel good when I know good people looking at code. So anyway, I know that's a little bit of a long-winded rant. Yeah, we're not quite, it's, It's easy to miss though too, right? I've definitely seen audited code that has problems in it, right? Like there's, there's a lot of quality differences between the, the, the code auditors and there are definitely cases where things can be missed.

Like I could, I could see a world where the Kaseya bug was missed by an auditor just because the authentication bypass required, like at a casual glance you don't see it. Yeah. Right? So we've got a state machine here where the, to use big words, the sematic complexity of that, uh, of that function is giant, right? So like there are so many code paths down that, down that rabbit hole that it's impossible to audit it. Sane Lee. Yeah. Yeah. Well no, that's real. That's excellent.

I'm putting a, uh, real quick, Kyle, you continue, but I'm putting a real quick just short video, um, in the chat. This is shortly after the July 4th incident when we did have John Strand on and posed a question, how do you ask your vendor if, how do you determine if your vendor has a good application security? And in about, you know, two or three different questions he really nails, um, nails it. So it's a short video.

I think it's two, three minutes in length, um, that's out there for you as well. Kyle, you, I think we're gonna say Something. So Wes, you and I often talk about like the business aspect of this. I've really been hassling my founders with a question recently that's kind of keeping us up.

Like in enterprise, when you're paying, you know, um, several hundred thousand dollars per year for software, uh, you can easily ask for certain things, whether they're SLAs, audits, indemnifications, but like in the world of most MSP and SMB, almost all those go out the, the window because to be able to provide those, you have to charge more. And then there's not really, you know, and clients don't have it.

Have you seen or thought about similar like issues there, and I'm not saying obviously charge more, but we kind of are forced to have to take more risk. Are we not or Yeah. What's your thoughts? I agree. I totally agree.

And, and I even saw this on the perch side from the other side of the fence when we're working with, we had some really large clients, like one that's a major card carrier, for example, and the amount of due diligence and work and effort that they put us through, um, was significant. Some of it for sure was just security theater, I get it. But like their capability in big enterprise to like force and command, it will be done these ways.

And we want to see these things and you must do this and that. You must have these in your provisions and these protections for our company and these, uh, disclosure guidelines on like, you're gonna tell us if you see an incident with an X days and they can force all of that. Here I am as a small MSP going to a vendor asking for similar things, you're gonna get laughed at. Uh, that's a problem that we have for sure.

And so I I, I'm, I'm thinking about, I don't have any answers, Kyle, but I do, I do agree and I think it's a problem. I I wonder if cyber insurance is gonna be a huge help here when we see changes that are going to happen. Like you talk to people like Dustin here in chat that's very, very aware of this. Um, could this force some standardized changes across the board that gives some teeth in areas that I think are critical?

I sure hope so because you're pointing out a problem that exists that we just don't, we might have the buying power, but we're all too individual to, to really exercise. That is maybe the better way to say it. Yeah. Yeah. I think, by the way, Wes, I think you're right about coming back all the way back to insurance. I mean, I think, you know, if, if the carriers say you will have, you know, and we're seeing it already, right? We went from, yeah, a few questions.

You know, when we had, um, uh, Lockton on few, few months back on cyber insurance and their ciso, uh, Peter said, Hey, you know, five years ago, it's, you know, can you answer these five questions and do you have a heartbeat? Well, right, you know, $25 million of cyber for you to now most of the MSPs are seeing their customers and their own renewal questionnaire, seven, eight pages aligned fairly well to, uh, CI S'S implementation group one.

Um, and, and lastly, I will say, I've gotten questions, um, from, I know one person actually I saw out on here is like, you know, when, when you're starting to talk about, you know, privilege, access management, logging, et cetera, uh, to get a, you know, a cyber policy, um, man, they could really force. And, and lastly, the good news, the good side of that, I think Kyle and Wess would be, you know, higher prices for the MSPs. No, I think it's going there.

I mean, insurance is probably the most, what I would say, despite all the vendor marketing and all the education for whatever reason, insurance has probably moved more partners to the right of boom, uh, you know, you know, meaning the detection response side than maybe anything that I can think of. And, and at least the last couple years requiring EDR or at least EDR attestation.

Uh, and what's interesting about that is I've also seen in the, the back half of 2021 for the, maybe the first time that after you had an incident and when you went to claim on your insurance, them bringing your attestation back up at your renewal and saying, you said you had these IR is coming in, they're gonna help you get back up and running. They're also going to validate whether or not, you know, what you attested to was truly implemented.

And that's, uh, to me that that's the thing that's really, I think, moving a lot of folks. Um, so I I think we have to be careful there too, right? Because a lot of these questionnaires, they're not rating on everything, right? So the, I think that a lot of MSPs, they're gut check feeling is like, oh, I have to answer yes to all of these, right? So I'm gonna go out and buy 9,000 tools so that I can have pen tests and all these other things.

And the reality of it is that they're not rating on those questions. They're not affecting your rates. They just want to know. So it comes back to what Kyle said is if you say you have it and then later you don't, you might be in trouble, right? So I, I wish insurance carriers would indicate which of the questions are actually being used for rating purposes. So, which ones? Yeah. Jason, I love what you just said.

This que 'cause it, Todd asked a question in, in post this question, and this is really good. I'm gonna, I wanna give it my 2 cents, but I'd love to throw this to Wes as the ciso. So Todd asks, are there recommendations of things we need to ensure are in our cyber policies as MSPs?

Wes, the thing that comes to mind, the biggest thing is if you have a cyber policy and you're saying you're doing this control and you're not, that's probably the biggest concern you have, Todd, but I wanna turn it to the legitimate CISO on the call. Wes, thoughts on, well, Well do you mean specifically with regards to insurance, Andrew? Well, I think he says in general, broadly, yeah. Uh, things we need to ensure in our cyber policy.

And, and you know, like I said, what comes to mind to me is if you have a cyber policy and you're saying you're doing this, that you better be doing it. That's the big thing. If you, if you are ever in a defensible, you need, you are in a need to be in a defensible position. Yeah. Y you do. And, and I don't know if, um, Dustin can come on chat for the next three minutes to kind of talk about his side of the fence, but he knows more about this than, yeah, Dustin.

I think most folks, Uh, other is, hold on, I'll pull him up. Yeah. Dustin Bolander. Dustin, I'm calling you out. My, my, my friend. I hope you're okay with this. Pull him up Here. Hopefully his technology works. Yeah, well he may be scrambling. He is like, oh no, I gotta throw a shirt on or something. I don't know. But, uh, Hey, my boy say he typically is shirtless on most calls. Yeah.

So this is gonna be interesting, But Ill say long hair blowing in the wind, I, I see two problems where this comes up. One is the MSP or the client doesn't actually understand what insurance they thought they had, right? So case in point that Dustin, that actually shared with me, he had a client that had no coverage for social engineering based threat vectors. None. He had no idea that could have been a nightmare, right?

And so sometimes there's a misunderstanding and then sometimes it's like you said, we say we're doing something we're not. We just yes, yes, yes. Through something. And that's gonna be a problem when claim time comes. Uh, right. So yes, I think both of those are things that we really need to think through. And MSPs are now in the age in which they have to learn. They don't have to be experts, they don't have to become, uh, insurance brokers, but they need, ah, there he is.

Dustin, I'm just gonna shut up and let you talk. Yeah. Dustin, any thoughts On meetings today? So you Don't have Dustin or Alex? Me, Dustin? Yeah. Um, oh, geez, where do we wanna start? Uh, no, it's, uh, the industry is on the insurance side is really looking at, it's moving so fast, I guess is really what to say on that, that remember it's looking back, insurance has been, we got a hundred years of flood data, for example, right? You know, global warming.

I'm not gonna get into that argument, but that stuff changes at a very slow pace. So that's the big problem with the insurance industry right now is just, it's moving so quickly and it's, you know, I'll walk into these insurance meetings and it's a bunch of old guys in suits, right? So it's like, oh yeah, we got the, what, 10, 12 years of cyber data. And it just, I mean, Kyle knows he's living and breathing this, it's changing on a weekly basis.

So that's been, whenever you guys are seeing this stuff where it's like, why are they asking this? Why are they thinking this is, the industry still isn't a major look behind model, they're just now starting to get it. This last year just destroyed the cyber industry so bad. The cyber insurance industry is now they're starting to sit back and go, okay, wait a minute. Let's like, you know, what's coming? What could we be doing different? Rather than sitting there churning on 10 years of data.

So you are gonna start seeing a lot more changes this year, um, in a good direction. Uh, it's gonna be frustrating for MSPs because it's still heavily data driven. Whether it's accurate or not is, you know, the underwriters, uh, the actuaries see stuff and it's like, oh yeah, the numbers say this. We're, we're sitting here. We're like, oh yeah, it's not actually though because of that, it's because of this other thing.

Um, so that'll take some time to change, but they actually are starting to listen to the experts here. I'm not saying me, but you know, the Wess, the Kyles, the Jasons, um, and starting to ask those questions. Um, they're, there's, I have so many NDAs and stuff, I can't speak a ton to it, but, uh, there I'm getting a lot more interesting questions these days than, you know, middle of last year where it was just like, here's how things work.

Dustin, do you foresee that there could be the analogy of telemetry to the teenage driver, their po you know, their rate would be X if we are able to monitor their speed? Yeah. Do you see control monitoring as a potential in the future? Yeah, there's some of that going on already. Uh, coalition I believe is one that's doing it. They have an AWS plugin, so they'll look for stuff like, uh, publicly exposed buckets, things like that.

Um, but there's still some interesting, uh, Microsoft did a partnership recently where it's like, oh yeah, if you use business premium, you know, we'll give you a discount. But then whenever you actually go to do it, it's a manual paperwork to fill out that says we're using it, my guys. It's so easy. It's right there. Uh, so yes, I think you're starting to see a lot more of that this year. Um, there's a couple people that are dipping their toes into it.

Um, but the insurance companies, again, remember it's a conservative industry. They're scared to death of it. So it's gonna be somebody has to kind of get in first and then whenever they see that working, um, that's absolutely the future. Yeah. So it may be an innovative company taking that first step that sees a gap There. Yeah. And if you look around, there's a couple people that are, you can tell they're thinking about it, but yeah, nobody's really come fully out on that yet. Right, right.

Wes, you call them up here. Any thoughts, anything you want to ask? Uh, Dustin mates here. I mean, I think you're right, Dustin. I mean, this is where the teeth is gonna, where is gonna come in. Um, and I think rightly so, right? W would you agree with that statement in terms of like the teeth to force change both for clients and for MSPs?

Yeah, so one of the craziest things that we have happening right now is that I have been actively putting together a, uh, not really a recommendations list, but a list of industry specific MSPs because we have on, uh, our side, that's the agency side that customers are saying, oh, I need MFA, I don't have that. How do I get that implemented? My current IT company hasn't done it.

Um, so everybody's starting to set up and take notice and that's actively driving, you know, people to look for, ID support, look for MSPs, things like that. So yeah, it's already happening. Yeah. Well, uh, Andrew, we kicked off a firestorm of questions that we only have three minutes to not answer, uh, in chat.

So we probably need Anything you see, Wes that's really standing out to you or, or that Well, the, the normal things like Todd's asking a couple of good questions, like a commend like we just don't have time for, but like recommendations of things we need to ensure that our policies have, uh, you know, how to compare.

Like Yeah, I mean these are the things that I'm seeing MSPs really start to be like, I, I'm involved in this dance, I I better recognize that get Started, come, come to write a boom is the answer, Wes. 'cause we're gonna have, like, we've got several hundred MSPs, many of the tops in the nation by the way. Um, and, and you know, if Jason, I know you're gonna be there and I know your ciso, Dustin, um, you're going off Hoy Toyota of the uk so you can't make it.

But, um, but, but right Jason, isn't this where like, you know, after hours we're, you know, talking to everybody and you know where, what you like Yeah, I mean the, the content at conferences like this is good, but the, the after hours drinking and bullshitting tends to be my favorite part of them. Yeah. Can't imagine why. Yeah, I think for all MSPs, right? Um, and, and the content here is no slouch and plus Wes is the mc. So, you know, come for the fanfare right there, Right?

J dj, jazzy Wes, You know my, my mc name. Well, Dustin, thanks for jumping up here, Kyle. Yeah, absolutely. Um, in the last minute here, uh, I can't believe it went that quick. Um, again, thanks for coming on. Anything you'd like to wrap, wrap up with and Go ahead. Yeah, uh, just like it takes, you know, uh, a community to raise a child, it takes a community to be able to improve, uh, security posture of our products.

So if you've got cash, obviously that's more for the vendors that are dropping on here, you should absolutely look at contributing, right? It could be DVD's program, I'm obviously biased. Could be some other way. Maybe your own VDP program, uh, for the community though really there's a lot more of us here. It's a good chance to go hassle your vendors. Are you supporting? How are you doing this?

If I wanna submit a bug, I can tell you if momentum and pressure from the outside does a whole lot stay, uh, proper, right? Stay professional. I don't need anybody throwing horse heads at vendors saying, Hey, you're not doing it. But I can tell you that pressure helps a whole lot when somebody like me and my team come forward and say, Hey, it's really time to move this thing. Let's make your code, let's make other people's code better. Let's contribute together as a group.

Um, it makes those conversations easier when they're being pressured from the other side too. So thank you. Yeah, no, thanks for joining us, Jason. Um, any closing thoughts from you? And I hope you are feeling better very soon. Yeah, Uh, I mean, I'm cooking something with some people to maybe help vendors work on BDPs if they, if they need help doing one. Uh, but I, I too just want everyone to get better in this space, right? I, I want, uh, I want to not, I wanna sleep better at night.

Let's be real, right? And, and right now it's not great because I feel like it's only a matter of time before the next, you know, kaseya level event happens. And hopefully it's not my tool set they hit when they do it. Yeah. Alright, so with that, Wes, as always, um, wonderful seeing you my friend. I look forward to, um, next Monday and we'll be back and wishing everybody a fantastic week. Take care everybody. Thanks everyone.

Related Videos

Huntress Donates $100,000 to DIVD Bug Bounty Program to Elevate SMB Cybersecurity | Right of Boom