Snow’s Approach to Security and the Use of Bug Bounties

Discover how our program encourages security researchers to help refine and improve Snow products.

At Snow Software we have always prioritized the security of our products, as we recognize that the trust given to us by our customers and partners must be protected. Several years ago, Snow launched a responsible disclosure program, and we took it even further in 2020 by launching our bug bounty program.

Offered by many websites, organizations and software developers, a bounty program allows individuals to receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities. It encourages security researchers to help refine and improve products. While we have always proactively conducted regular penetration tests on all Snow products, by adding such “responsible disclosure” mechanisms, we can greatly enhance our security.

Over the past year, many organizations have told us they increased the level of scrutiny they carry out for all new suppliers. Looking at an organization’s approach to responsible disclosure and bug bounties is a good way of assessing a supplier’s maturity and whether you can trust them with your data. For example, if you look at companies like Microsoft, Salesforce and Apple, they all have active programs.

Building on Snow’s security program

To further develop our security program, in September 2021, Snow became a Common Vulnerabilities and Exposure (CVE) numbering authority. CVE records are crucial tools that allow organizations to track known vulnerabilities within their technology estate. Snow has become a CVE numbering authority so we can allocate CVE numbers and better manage our responsible disclosure process. It also allows Snow to contribute to the wider CVE community which our products consume, to provide our customers and partners with a better perspective on their risk.

Snow Risk Monitor uses vulnerability data from several sources, including the CVE feed from the National Vulnerability Database (NVD) in the U.S. Our customers and partners alike use Snow Risk Monitor to analyze their own inventory data for known vulnerabilities. Visibility of unpatched bugs helps highlight risk and typically leads to change within an organization as it enables the security team to advocate for improved security management.

Staying on top of risks 

At Snow, we believe it is our responsibility to safeguard our customers’ and partners’ data, along with our own. The Snow platform further amplifies this by allowing our customers and partners to assess the constantly evolving environment and ensure that they are on top of the risks they are facing.