“Bug bounties” are a great idea — crowdsourcing security testing by offering a reward to “white-hat” hackers who find and report vulnerabilities in your system. However only large corporations can afford to pay large rewards for every bug. What if someone designed a platform that turned these hunts into competitions that businesses of any size could afford? That’s what award-winning French startup Buglab aims to do.
This is a sponsored article provided by Vanbex Group.
Smaller Companies Need Affordable Security Testing
There’s also a number of other reasons to create a formal crowdsourcing process for penetration testing (“pen-testing”), said Buglab founder Reda Cherqaoui.
Corporate pen-testing is a costly function. Typically, a team of two or three cybersecurity consultants would work together to attempt to break into a corporate system, and create a report to send to the company’s IT security department.
Not only that, but companies often didn’t think to pen-test until after they’d already suffered a breach. While big business is becoming more proactive, small and medium-sized enterprises don’t have the resources or funds.
“Companies would rather pay for an AdWords campaign than check and evaluate their security level,” Cherqaoui said. “It’s hard for them to see the value until it’s too late.”
Smaller companies were getting hacked just as regularly (if not more so) than the large ones, he added, but didn’t get the same media coverage. Therefore, it’s easy to think this common problem doesn’t exist.
A formal pen-test could take around two weeks to complete and cost about 700-900 EUR per day — way beyond a small business’ reach.
“So let’s think about a way to make those small and medium sized businesses — because there are a lot — launch pen-test solutions,” Cherqaoui continued.
Crowdsourcing Pen-Testing and Paying White-Hats
The solution? Buglab uses Ethereum smart contracts to create a challenge campaign, and invites certified pentesters to join in.
You could say Buglab is “gamifying” the pen-testing process. Testers report the bugs they find in real-time, and their findings are then timestamped on the blockchain, triaged, scored by importance, and ranked.
Rankings are updated live and participants can see a scoreboard of who’s “winning”. At the end of the challenge, the top three bug-finders receive a reward. There’s also a bonus for someone who happens to find a bug not discovered by the top three winners.
Buglab is offering three plan tiers for campaigns: basic, professional and enterprise– designed to be affordable for smaller businesses. At the top level, a company can choose however many “winners” it likes.
Participants would be paid in Buglab’s BGL token — an ERC-20 tradable currency. The total payouts may be lower than those you’d find in large corporate bug bounties, but remember these challenges probably wouldn’t even happen, if not for Buglab’s offering. And many budding testers were doing it as a hobby anyway, to hone their skills and maybe get some recognition.
Originally from Morocco, Cherqaoui launched Buglab in 2016. He and his team moved to France’s cybersecurity hub of Bretagne after winning a place the prestigious government-sponsored “French Tech Ticket” tech startup accelerator, season two.
The ‘Vigilante Protocol’
Buglab would require competition participants to have a certification in IT security, to ensure a degree of professionalism.
There was also a need to protect the white-hat hackers themselves, he said.
When he was younger, he’d try to test the strength of corporate networks by himself and unsolicited, reporting any vulnerabilities he found to the company’s CTO. However, rather than being grateful for the free service, the executives would often threaten to sue the hacker instead.
This left many would-be volunteer security testers afraid to (a) test the systems, and (b) report flaws they found. “One CTO even got fired himself after a bug was reported,” Cherqaoui said.
However, in France there is actually a law to protect those white-hat hackers who help companies by reporting bugs — so this may encourage more white-hats to participate in the vigilante protocol, he added.
Buglab would create a smart contract called the “Vigilante Protocol” for white-hat hackers to safely report bugs they found outside its formal challenge competitions.
“Our Vigilante Protocol is a system that allows white-hat researchers to report on system vulnerabilities of a company that isn’t one of our platform’s customers,” Cherqaoui said. “We invite companies to reward the white-hats in the form of optional tips or gratuity when they discover flaws. It’s a way for companies to obtain recommendations for their solutions from watchful guardians at little cost to them.”
“Our Vigilante Protocol Smart Contract enables communication of sensitive information in a confidential and secure manner through the applicable certified national authorities, namely computer security incident response teams (CSIRT), which are administered by many countries across the globe. In addition to notifying the company in question of a vulnerability, CSIRT and Computer Emergency Response Teams (CERT) will themselves have to triage and score it. In return, once the company marks a vulnerability as resolved, the response teams will be rewarded tokens that come out of the Vigilante Protocol Reserve(VPR), as partnerships are forged with Buglab.”
Formal Relationships With CERTs and CSIRTs
Buglab is building a partnership with different National Computer Emergency Response Teams (CERT) and Computer Security Incident Response Teams (CSIRTs).
Bugs are reported to Buglab, which transfers it to the CERT or CSIRT of the country where the concerned company is incorporated, or resides.Then once the vulnerability is fixed, the Vigilante Protocol contract would reward the white-hat directly, and/or offer to hold a BugLab contest to discover any other potential threats.
In all, Buglab’s system wants to make security testing available to all-sized businesses, in a way that rewards participants — and makes the entire process more interesting.
Does this sound like an interesting idea that could improve security for all? Tell us what you think in the comments.
Images via Buglab