— Why did you decide to build a Bug Bounty platform in Russia? What prevents you from turning to security companies like yours to check the code of programs, applications, websites like before?
“We believe that only hackers can provide the best security check for a company. The platform is exactly what is needed for the client to have access to a wide range of independent experts, “white hat” hackers. We saw the shortcomings of the platforms in a classical approach where the main task of the researchers was to find the vulnerabilities. We rethought this format and made a new one – a format for executing invalid events when a hacker needs to develop an attack and show how critical it can be to the system.
There are not many experts in the penetration testing field with the required level of experience. An information security company is 10, 20 or 50 pentesters. And the Bug Bounty platform has many more of these. Also, Bug Bounty is a huge community whose members have more skills combined than the team of an information security company.
Even a well-coordinated and assembled team of pentesters cannot provide such a rotation of insights, techniques, and ideas that massive hacker traffic provides – in the case of Bug Bounty, researchers with different specializations, preferences and experience will work – it’s a greater type and number of security will make it possible to search for the gap.
For example, as a customer, you want to check your mobile app for security vulnerabilities. How many researchers can be so specialized in an information security company? Well, two, three … And if you search for hackers through Bug Bounty, there will be a lot more of them. As a result, many more vulnerabilities will be found.
How many such hackers do you think there are in Russia?
— According to our estimates, there are about 2,000 good experts who have participated in other Bug Bounty programs before and understand what it is. However, taking into account the beginners, in the future there will be about 10 thousand hackers, who will become the same experts and join the ranks of the above-mentioned 2 thousand highly qualified specialists.
– Are you going to attract white hat hackers from abroad?
– We’re definitely going. And we are now meeting with lawyers and financial advisors to identify possible options for legal payment.
– How to determine that a foreign hacker really wants to help and did not receive information about security vulnerabilities in the Russian Federation and pass it on to the government of another country?
– Company can be hacked without Bug Bounty. However, if he decides to host his program, he must accept the risk of being hacked as a result of or after participating in the Bug Bounty.
After all, pentesters control the infrastructure available to everyone for possible hacking. So “black” hackers can come and take and hack infrastructure in exactly the same way as “white” hackers.
The only difference is that a “white hat” hacker participating in the Bug Bounty informs the client company about the discovered vulnerability, receives a reward for it and is proud of the work done. And the “black” hacker will sell the discovered vulnerability and can be held liable as the act committed is a crime.
— So you don’t know who the hackers who come to your platform really are?
“Our job is to mediate. As aggregators, we bring in the hackers, we bring in the clients, and then we establish a connection between them. In this case, the clients may put forward terms that the hacker may or may not agree to. Such a condition may be the disclosure of the pentester’s identity. This is, for example, only identified However, identifying participants is not the main task of the Bug Bounty platform.
– What do customers think about the anonymity of people who hacked them? Are you often asked to reveal the identity of a hacker?
— In fact, we have a large demand from businesses to promote the identity of researchers. Companies come and say, “I am very afraid that the weaknesses in my system will be mentioned somewhere”. In such cases, we recommend adding detected “white hat” hackers to the program. But at the same time, we agree with the client that, in terms of promotion, the number of experts responding will be much less than under conditions of anonymity. There are very few hackers willing to work publicly.
– How much?
– About 5% of the above-mentioned amount is a very “weak” share.
For customers who want to control their infrastructure and software, but do not agree to work with hackers on anonymity condition, it would probably be more appropriate to apply for a special pentest to the information security companies we mentioned at the beginning.
— Does the Pentesters Bug violate the rules of the Bounty platforms? For example, could they publish information about a vulnerability found in the client’s infrastructure?
– There are such cases, but they are very few in number, this is more of a mistake.
When a hacker comes to the Bug Bounty platform, he understands why he did it. It is much more profitable for him to work with a client in a trusting relationship and do no harm.
Sometimes a Bug Bounty client might say: “We’re going to have a new service where you can search for vulnerabilities, but we don’t want to advertise it.” It then invites selected hackers to try the service, knowing that they trust it and that they will be responsible for disclosing information.
The hacker who first enters the closed service is more likely to find vulnerabilities and therefore be rewarded for them.
– Still, how will you punish hackers who violate the rules of the platform?
– This is the complete removal of the hacker from the platform or the disconnection of a particular client from its program. We will also downgrade the violators and possibly deprive them of the promised payments in agreement with the client. However, these cases will be discussed separately.
— Does your platform have a system to punish criminal pentesters?
— We don’t have any specific actions for these cases as they will all be unique. We’ll need to talk to the client, then we’ll need to talk to the hacker. If possible, understand why the problem arose: why the hacker or customer is unhappy. And then make a decision in favor of one, based on the arguments of both parties.
We will act as an arbitrator on our platform, meeting the interests of both the client and the hacker.
– After February 24, HackerOne, the world’s largest bug bounty platform, refused to cooperate with Russian hackers and kept Russian companies out of their customers. How did the hackers handle this event?
“They are unemployed. I am in different chats and see that its participants are looking for other platforms with no payment limits for citizens of the Russian Federation. There aren’t many public bug bounty programs in Russia. “Yandex”, “Azbuka Vkusa”, perhaps some other companies independently pay for the discovery of vulnerabilities in their products. But private programs don’t compare to a platform where such rewards programs appear regularly.
– And how does HackerOne understand that a hacker from Russia is approaching them?
– To get paid from HackerOne, hackers add their SWIFT account details to the profile. From them you can understand where the payments go. Well, there weren’t many companies out there, not to find them on the platform and understand that they are from Russia.
– Was the excommunication of Russian hackers from HackerOne a reason you launched your Bug Bounty platform?
– Not. We started the development of the project before then, and we talked about the launch date of the platform at the last The Standoff in November 2021. This is in line with our effective cybersecurity ideas and we believe verification of systems and IT infrastructures by independent experts is the final step in checking the level of information security effectiveness.
— When the average person imagines the interface of the Bug Bounty platform, it seems that various hackers must have scary avatars with scores that reflect “coolness”. So will it?
– I think it will. This is a subculture, so clowns appear in avatars there, followed by some characters from the memes. Funny and cool.