HU

EN

New generation security testing: Bug Bounty

We are happy to announce that the HACKTIFY blog has been launched! We are aiming at sharing news regarding IT security with you regularly. In our first post, we are introducing one of our main services – Bug Bounty.

Background story

Most companies can be found on the Internet. What’s more, nowadays data driven corporations spread like wildfire, industrial firms grasp technology-enabled opportunities and the scope of online services broaden, as well. They are used by expanding audiences each day: online banking, online ticket purchase, online insurance, not to mention social media.

Since the GDPR decree taking effect, data protection has become an even more urgent need among companies. In spite of this, the security of our region’s services is in its infancy. However, a CEO having a risk analysis completed, could realise immediately that the cybersecurity risk is great and security controls are essential for the development of the company. A good metaphor appeared in a cybersecurity podcast: cybersecurity is like the brake of a car: you cannot go faster without it.

The job of the Chief Information Security Officer (CISO) is quite hard in general: he needs to prepare for the unavoidable without actual data, in order to verify the budget he needs for developing or upholding the IT security system.

What is certain, is that each year more and more data theft befalls in data protection incidents. According to ENISA (European Union Agency for Cybersecurity, https://www.enisa.europa.eu/) tens of millions of data breach records were explored in 2020. The rate of computer crime is increasing and these types of felonies will be even more common in the future.

Fortunately, a growing number of companies have their own IT security officer – maybe even a group of them – who measures which tools should be categorised as critical infrastructure for the company’s operation and the achievement of the business goals. After identifying them, it ought to be examined whether their protection is satisfactory. In the best case scenario, they have the opportunity or knowledge to complete a vulnerability test which helps to find any anomalies in the systems.

Ideally, they re-do this testing after each modification of the service and/or after a predetermined period (e.g. biannually). In the absence of this, the company will not be aware of its own vulnerability and will be subject to great risks. Slightly better is when the firm opens a Bug Bounty programme. But what is it?

The history of the bug bounty

In 1983, Hunter and Ready were the first ones to offer a Volkswagen Beetle (a.k.a. Bug) for anyone who found and reported a problem in their Versatile Real-Time Executive (VRTX) operating system – therefore initiating the first known bug bounty. (Source: https://en.wikipedia.org/wiki/Bug_bounty_program)

Over a decade later, 10th October 1995 Netscape launched the first technology bug hunter programme, the Netscape Navigator 2.0 Beta version. The idea came from James Ridlinghafer, who noticed that their browser had a great number of fanatics whose occupation was software engineering and so they pointed out the faults of the programme as an act of kindness. This led to the power of community testing, based on the thought that two heads are better than one.

They were followed by the first exploit service providers (iDefense, Zero Day Initiative) and Mozilla between 2002 and 2005, then in 2010-11 Google and Facebook launched their own Bug Bounty programmes.

In 2011 the first Bug Bounty platform was launched in the US because companies discovered the advantages of bug hunter programmes. However, the validification and tracking of their reports called for great human resources from their own resorts, therefore it was easier and more rewarding to outsource these activities.

2020, Hungary: three IT security officers decided that the companies of this region deserve taking part in new-generation IT security testing, therefore the HACKTIFY platform was created (hacktify.eu).

What does our platform do?

Ethical hackers aim to help enterprises discover their vulnerabilities before bad guys could discover them. In other words: running a bug hunter program gives the firm great advantages with locating vulnerability proactively and predictively. Therefore, it is an alternative method of detecting software and configuration errors which could otherwise slip through developers and cybersecurity teams and cause great problems later. Bug bounty programmes are about creating the culture of openness, transparency and responsibility.

In case the company does not have the financial opportunity to use these programmes, having a Vulnerability Disclosure Policy is still highly advised.

These documents define the process of how to report any vulnerabilities that one might find in the company’s services. Its essential part is the Legal notice, in which the firm contracts that in case of these reports, no proceedings will be initiated against the ethical hacker. A win-win situation is created with this: on one side, the company gets notified of the errors, – which the cybersecurity personnel might not point out, under other circumstances – on the other, the IT security officer gets to relax – because with fixing the error he found and reported, the service, and therefore the internet will be more secure.

The process of the Bug Bounty

  1. Defining the programme
  1. As a first step, we identify which type of programme would be the most beneficial for the owner: public, private or on-site. In the case of the public type, any ethical hacker could test the systems and report errors. If the private programme is chosen, the HACKTIFY’s ranked testers (https://www.hacktify.eu/en/leaderboard/) get invited to take part in the process. On-site programmes are the most discrete: testing takes place on the company’s site/in its lab.
  1. We coordinate the details of the program, together with the company: which services should be in the programme, are there any out-of-scope parts? Are there prohibited methods? What kind of vulnerability the customer wants to know – what kind does he not? What is the size of the financial compensation for the found and accepted errors?
  1. Conclusion of the contract

We always conclude the negotiations with a contract and afterwards, start the programme. In the case of a public Bug Bounty, the Programme description will be updated and each registered user will be notified.

  1. The beginning of bug hunting

Ethical hackers start testing the requested systems while obeying the Programme description and Testing rules. If they identify some kind of vulnerability, they complete a bug report on HACKTIFY’s platform.

  1. The validification of the bug report
  1. HAKTIFY receives the report and we check whether it is in accordance with the rules, and whether it is about a unique problem or it had been reported earlier.
  1. If everything seems good, the report is forwarded to the owner of the programme.
  1. The company checks the error and sends a notice to HACKTIFY about its acceptance.
  1. Payment and the conclusion of the report
  1. HACKTIFY transfers the reward to the reporters of accepted bugs. In line with the criticality level of the vulnerability, reputation points are distributed, as well. These appear on the hacker’s profile and he could land higher in the ranking, as well as get “participation rights” in private programmes.
  1. After the payments are completed, the bug report is closed.

Check out our services (https://www.hacktify.eu/en/services/) and get in contact if you company is in need of

  • a bug bounty programme
  • vulnerability/intrusion test
  • GDPR appropriateness or
  • IT security audit.

If we managed to arouse your interest, visit our webpage: https://www.hacktify.eu/en/home

Share

Contents

Our latest articles