How One Mount Group Uses Managed Bug Bounty For Application Protection?

Managed Bug Bounty helps OneMount Group enhance the overall security posture of Vinshop & VinID applications while ensuring customer data safety.

One Mount Group is a large technology ecosystem in Vietnam, specializing in providing solutions across the entire value chain, starting from retail, distribution, real estate, and financial services. One Mount's applications include VinID, VinShop, and OneHousing.

VinID is a multi-purpose point accumulation and e-wallet application. Users can accumulate and redeem points when shopping at WinMart/WinMart+, and pay without using cash through VinID Pay e-wallet. The application also provides effective apartment management features with OneHousing, support for bill payments, phone top-ups, and purchasing entertainment and entertainment tickets.

VinShop is a solution for grocery store owners, implementing a B2B2C model with 3 main subjects: businesses that own products, distribute products, and provide communication and customer platforms. VinShop provides access to a diverse source of goods at attractive prices, supports flexible import and order management, provides many payment methods, and ensures quick delivery. The platform also supports the implementation of effective product introduction and engagement programs.

One Mount owns a team of high-quality security personnel and has conducted internal security assessments for applications. However, One Mount set out to test the security performance of applications in production environments and evaluate attack capabilities from the perspective of ordinary users.

Therefore, to solve this problem, One Mount decided to implement the Managed Bug Bounty solution, with the support of a team of experts from CyStack to help enhance security at the highest level.

Test object: Mobile application.

Evaluation steps include:

• Step 1: CyStack experts diagnose and analyze vulnerabilities, then submit detailed reports of both VinID and VinShop to the WhiteHub program, a bug bounty platform developed by CyStack.
• Step 2: CyStack team receives and approves reports from experts, performing triage work to determine the priority and severity of each vulnerability.
• Step 3: Once triaged, our experts reproduce the vulnerability to validate, classify, and assess severity. Based on the results, the vulnerability is moved to the Accepted - Unresolved state or the corresponding Rejected state.
• Step 4: CyStack continues to communicate with the security team at One Mount to confirm information and agree on rewards for accepted reports.
• Step 5: After agreeing on the reward, One Mount carries out the reward process for experts who have participated in the bug bounty program to receive rewards.
• Step 6: One Mount begins the process of patching the vulnerability, notifying experts so they can re-check the report after the vulnerability has been resolved.
• Step 7: If the vulnerability is completely patched, change its status to Accepted - Resolved; otherwise, repeat the patching process until all problems are resolved.

Additionally, CyStack sends reports summarizing information about discovered vulnerabilities and their remediation status to One Mount monthly, helping them maintain a safe and secure environment for their applications.

The results obtained from the bug bounty program on the WhiteHub platform are as follows:

VinID program:

• Total number of reports received: 21
• Total number of valid reports: 9 (2 duplicates), including 1 critical, 4 medium, and 2 low.
• Total amount awarded: 14,000,000 VND, of which the highest reward is worth 10,000,000.

VinShop program:

• Total number of reports received: 19
• Total number of valid reports: 2, including 1 medium and 1 low.
• Total amount awarded: 1,000,000 VND.

A bug bounty program is a type of security crowdsourcing that encourages individuals or groups, known as “white hat hackers,” to identify and report security vulnerabilities in a company's software or systems. Companies will reward money, gifts, or recognition to white hat hackers who discover and report these vulnerabilities.

The purpose of the program is to identify and resolve security vulnerabilities in a timely and effective manner, while providing a safe and secure environment for white hat hackers to report vulnerabilities, helping organizations Improve security, and reduce the risk of cyber-attacks and data breaches. The program can also be applied to test the security of a variety of systems and applications, including web applications, mobile applications, and IoT devices.

One of the places that regularly opens bug bounty programs is WhiteHub, the first and largest community security platform in Vietnam developed by the CyStack team. WhiteHub helps businesses launch their bug bounty programs to efficiently find vulnerabilities, with the participation of more than 3000 security experts.

For detailed information, please visit: https://whitehub.net/

CyStack has provided comprehensive support in terms of manpower and time in processing reports from One Mount's security experts, to help customers complete the security assessment process.

We have dedicated ourselves to not only implementing disciplined measures to identify, assess, and address vulnerabilities but also to optimize engagement and communication. Leveraging the talent and in-depth knowledge of our team of security experts, we assisted One Mount in reproducing and validating the vulnerabilities.

During our work, we established regular exchange meetings, ensuring One Mount support reached accurate and reliable conclusions.

“Even with abundant financial resources, there are still numerous challenges in recruiting, building, and maintaining a well-suited security team.” – Mr. Nguyen Thanh Tung, Head of Product Security of One Mount Group.

“In Vietnam, organizations face a considerable obstacle when it comes to recruiting cybersecurity professionals. Despite the growing demand, the workforce in this sector remains restricted, especially the scarcity of highly skilled individuals.” - Mr. Nguyen Huu Trung, Founder & CEO of CyStack.

“I believe it would be better if businesses had a professional in-house security team. However, this is sometimes not feasible in the current context of personnel shortage. Therefore, an alternative approach would be to leverage crowdsourced security.” – Mr. Nguyen Huu Trung, Founder & CEO of CyStack

“External experts are highly proactive and possess extensive knowledge of different security vulnerabilities, enabling them to timely and efficiently identify such weaknesses. As a result, the internal security team can concentrate on addressing product-related security issues as quickly as possible before the products are released to the market.” – Mr. Nguyen Thanh Tung, Head of Product Security of One Mount Group.