Why would an organization invite hackers to break into their assets/products
The Vulnerability Disclosure Program (VDP) and Bug Bounty Program (BBP) have been proven to deliver excellent results in finding security vulnerabilities.
Granting permission for security researcher to test software and systems is a great way to receive more vulnerability findings, giving your organization more knowledge and control, and ultimately reducing risk.
In fact, the Pentagon, US Army, and US Air Force are already doing it. They collaborated to security researchers from all over the world and they found it effective.
Photos shown below are the results from their programs. Photos credit to HackerOne.
Does Secuna comply with ISO standards?
Yes. Secuna adheres to ISO 29147 and ISO 30111. In accordance with ISO 29147, Secuna has an established process through which disclosed security vulnerabilities by a security researcher are reviewed and triaged by the customer with the appropriate resolution information. With regards to ISO 30111, Secuna provides remediation advice on your team with the information necessary to begin resolving vulnerabilities that have been both triaged and validated.
What is the relationship between the customer and security researchers?
The security researchers, hackers, bug bounty hunters are non-employee independent contractors of Secuna and have no contractual relationship with a customer. The terms that govern Secuna's relationship with security researchers is the Disclosure Policy.
How do you screen security researchers?
At Secuna, we want to make sure that every security researcher on our platform is trusted and professional. To do so, we are performing the following steps:
Soon, we will implement a Technical Assessment to ensure that they are skilled enough to test the assets of our clients.
Security Researchers around the world may participate, except for security researchers from countries the US has issued export sanctions or other trade restrictions against (e.g., North Korea, Iran, Iraq, etc.)
Are the bugs found by security researchers kept confidential?
All Security Programs' default provision is that all security vulnerabilities discovered must be kept confidential. Customers may permit security researchers in publicly disclosing security vulnerabilities for general interest. Secuna urges all customers to consider this option, but is not necessary to do so.
What happens if a security researcher “goes rogue” and discloses a security vulnerability publicly?
In reality, incidents of full public disclosure are extremely rare, and we actively work to prevent them.
Our diclosure policy describes conduct that is acceptable and unacceptable. We monitor closely the correspondence and behavior of Secuna security researchers, and security researchers are penalized for failing to comply with this policy.
In the case of an incident involving public disclosure, our team will contact the security researcher to ask them to delete the vulnerability details they have posted and to warn them of the potential consequences of unauthorized disclosure.
Secuna reserves the right to issue a warning to a security researcher and/or temporarily or permanently revoke access to the Secuna platform, depending on the severity of the breach.
I do not want security tests to be run on my production environment. How can I avoid this?
In reality, security testing in production is recommended as it typically has the best data quality, and it is always accessible by cybercriminals.
Security Testing does not usually have any negative impact on the systems. But the best way to avoid security testing in a production environment is to set up a testing environment with sample data for security testing.
What types of things can your security researchers test?
Security Researchers on Secuna platform can assess and test anything programmed with code. Security researchers love testing mobile apps, website apps, hardware, IoT devices, and everything in between!
They are more active and will find severe security vulnerabilities if security programs offer bug bounties.
Which payment options are available?
PayPal is our primary method of payment, but occasionally we use Bitcoin to handle bounties. If we are unable to process the bug bounty through PayPal for some reason, please contact our support team at [email protected], and we will find another way to pay the bug bounty to security researchers.