Real talk: the MSP vendor community needs to get its shit together.

Small and midsize businesses—which represent more than 99% of the organizations in the US and are the cornerstone of our economy—are depending on us to protect them from today’s determined cybercriminals and nation-state actors. But we’re not doing enough to help them. 

2021 was a year filled with high-profile attacks and vulnerability disclosures within the SMB and MSP communities. That’s because attackers know most small businesses struggle to defend themselves and that MSPs act as gatekeepers to dozens if not hundreds of SMBs. 

At Huntress, we spend a lot of time tracking, analyzing and trying to help the community navigate through these incidents—some examples are below:

• Vulnerabilities and Information Disclosure in Crewhu Survey Software
• Hackers Exploit Billing Software BillQuick to Deploy Ransomware
• Ransomware Deployed via Kaseya VSA in Supply Chain Attack
• Zero-Day Vulnerabilities in Event Management Platforms

As we head into 2022 and look toward the future, we’re putting our money where our mouth is to try and accomplish a few things:

• Destigmatize and celebrate vendors who are transparent about security incidents and blindspots and who share the work they’re doing behind the scenes to strengthen their platforms
• Enable IT professionals to increase their cyber knowledge and chops—by hosting our own training events, covering attendee costs for other trainings and programs and more
• Establish incentives for members of the MSP and SMB communities to spend more time testing, breaking, and pwning the tools they use so vendors can find and fix issues faster and improve code quality

To be clear: we’re not here to shame anybody. We’re here to acknowledge that unless we come together and hold ourselves to a higher standard, this problem is going to get worse before it gets better. And we’re holding ourselves to that higher standard too.

We were super fortunate to raise a $40M Series B last year—and we’re excited to begin investing that money in ways that’ll enable different types of organizations to better secure and support the 99%. 

To start, we’re making a $100,000 contribution to the Dutch Institute for Vulnerability Disclosure (DIVD). DIVD is a volunteer-led organization with a team of highly skilled security researchers who analyze threats and report vulnerabilities globally; they played an important role in a number of high-profile incidents over the last year. To proceed in an ethically and legally just way, DIVD has developed this Code of Conduct. 

That $100,000 is being used in two ways:

• $50,000 will support DIVD’s continued growth, enabling the group to hire its first full-time staff and do more of the awesome work they’re already doing
• $50,000 will be used to start a DIVD-led bug bounty program to create a financial incentive for individuals to effectively disclose vulnerabilities and discoveries specific to MSP and SMB IT tools

We’re excited about these opportunities and look forward to continuing to invest in programs that help elevate SMBs above the cybersecurity poverty line. 

But here’s the kicker: we need others to join in, too. Working together as vendors and community members will allow us to make a much bigger impact than if we stay in silos or get stretched too thin across just a few key initiatives. So, we’re putting an open call out for anyone interested in joining us to please reach out and get in touch:

• You can reach Huntress here 
• You can learn more about the bug bounty program here
• You can contact DIVD directly about the bounty program at bugbounty@divd.fund

As long as hackers keep hacking, we’ll keep hunting—and we hope you’ll join us as we work to deliver greater security to the 99% of businesses that need it most. 

•••

Update (2/3/22): We're pleased to note that since this blog was published, other MSP vendors have teamed up with us, pledging to donate a combined $75,000 to DIVD! Learn more here.