An effective approach to leverage the power of the security community

In the context of internet users increasingly imposing high standards on the products they use, businesses are inadvertently pushed into the race to develop products fast enough, good enough, and still be safe in the operation. The more frequently the software is updated, the more likely it is to have security flaws.

The solution to this problem is that developers must be faster than hackers in finding and fixing vulnerabilities in their products. An advanced approach here is to use crowdsourced security.

Broader Coverage

Crowdsourced security allows businesses to engage with a large number of security experts with diverse skills and expertise, which can help to identify vulnerabilities that may have been missed by internal security teams. Traditional security methods typically rely on a smaller group of in-house security experts

Risk Reduction

Crowdsourced security can provide a fresh perspective on security issues, as security experts from outside the organization may be able to identify vulnerabilities and attack vectors that internal teams may have overlooked


Crowdsourced security can be a cost-effective alternative to traditional security methods, as it allows businesses to tap into a large pool of security experts at a fraction of the cost of hiring a full-time security team

Positive Reputation

By launching a crowdsourced security program, businesses can demonstrate their commitment to security, which can help to build trust and improve their reputation

Faster Detection and Response

Crowdsourced security can help businesses quickly detect and respond to security vulnerabilities, as security experts are able to identify and report vulnerabilities in a timely manner

CyStack image
CyStack imageCyStack image

How it works

Scope and rules

We work with the customer to define the scope of the bug bounty program, which typically includes the systems or software that are eligible for testing, as well as the types of vulnerabilities that are eligible for rewards. The rules of the program are also established, including the reward amounts, the submission process, and the timeline for receiving rewards.

Program launching

We launch the bug bounty program in WhiteHub, announce it to the public, and provide details about the scope of the program


Ethical hackers, also known as bug hunters from WhiteHub community, then try to find vulnerabilities in the defined systems or software. They can use a variety of techniques and tools to discover these vulnerabilities, including manual testing, automated scanning, and penetration testing.


When a bug hunter finds a vulnerability, they report it to WhiteHub and provide detailed information about the vulnerability, including steps to reproduce it and any potential impacts or risks it poses.


We will verify the reported vulnerability to determine if it is a genuine security issue and if it meets the eligibility criteria for a reward.


If the reported vulnerability is valid and eligible for a reward, the bug hunter receives a payout according to the reward structure established in the program. The reward amount can vary depending on the severity of the vulnerability, the impact it could have on the company or its customers, and the level of effort required to discover it.


The customer then fixes the vulnerability and may reach out to the bug hunter for additional information or assistance in verifying that the fix is effective.

Public disclosure

Once the vulnerability is fixed, the customer may publicly disclose the issue and credit the bug hunter for their contribution to the security of their systems.

Our Approaches

Vulnerability Disclosure ProgramManaged Bug Bounty
Suitable for
Businesses that have an in-house security team who can manage a bug bounty program
Businesses that don't have an in-house security team or have one but don't want to spend more human resources on bug bounty managing
Vulnerabilities Triaged by Who will discuss with the reporters and verify the submission
The Client
The WhiteHub Team
Branded Domain The program is hosted at a domain/subdomain of the client, not the WhiteHub domain
Number of Programs The maximum number of programs a customer can launch
Up to 2
Up to 4
Program Visible to Who can see and join the program
Everyone, or only invited researchers
Program Policy Built by How the program policy is built
The Client, based on the basic policy
The Client, with consults from the WhiteHub team
Promoted via Channels used to promote the programs
Free channels (social networks, chat groups, etc)
Both free and paid channels (advertising, newspapers, etc)
Pre-Assessment WhiteHub team will perform security tests before launching the program
Vulnerability assessment and penetration testing
Support Channels The channel to get support from the WhiteHub team
Ticket, chat
Ticket, chat, phone, and prioritized support
Researchers Selected Based on Rules to select security researchers for the program
No specific criteria
Skillset, reputation points, certificates, NDA
Triage Analysts Rules to assign a triage analyst to work on a new finding
Predetermined, Random, or Round-robin

Manage your cyber risks in a security platform

CyStack avatar Manage your cyber risks in a security platform

Get an overview of your security posture just on one screen

CyStack avatar Manage your cyber risks in a security platform

Discover automatically new vulnerabilities and attack surfaces

CyStack avatar Manage your cyber risks in a security platform

Collaborate effortlessly with your team, CXOs, and our security experts

CyStack avatar Manage your cyber risks in a security platform

Get all details of each vulnerability (descriptions, steps to reproduce) and comprehensive, actionable guidelines to resolve it.

CyStack avatar Manage your cyber risks in a security platform

Comment and discuss directly on each finding, avoiding endless phone calls and emails

CyStack avatar Manage your cyber risks in a security platform

Prioritize the most effective solutions based on ROI and optimize your developers' time

CyStack avatar Manage your cyber risks in a security platform

Speed up the security testing process with a streamlined approach

CyStack avatar Manage your cyber risks in a security platform

Integrate findings into your productivity tools (Slack, Jira, Trello)

Compliance-driven penetration test

CyStack's pentest provides comprehensive testing that encompasses all the essential requirements necessary to attain compliance with ISO 27001, HIPAA, SOC2, GDPR standards, and other frameworks.

CyStack Compliance-driven penetration test
CyStack Compliance-driven penetration test
CyStack Compliance-driven penetration test
CyStack Compliance-driven penetration test
CyStack Compliance-driven penetration test



Initial consultation

The customer and WhiteHub team will have an initial consultation to discuss the customer’s security objectives, the scope of the program, and the types of vulnerabilities that will be in scope.


Program setup

The WhiteHub team will work with the customer to set up the program, which includes creating a customized submission form and workflow, setting up the reward system, and configuring the program’s scope.


Program operation

Once the program is set up, WhiteHub will launch the program and invite security researchers to participate via our promotional campaigns, and then we wait for submissions and work on them.


Reporting and analytics

WhiteHub provides comprehensive reporting and analytics, providing organizations with detailed insights into the effectiveness of their big bounty program.


Ongoing support

WhiteHub offers ongoing support and guidance to ensure the smooth operation of the bug bounty program.

Trusted by leading security-aware companies organizations across the world

CyStack partner cake
CyStack partner Sendo
CyStack partner ACB
CyStack partner Momo
CyStack partner Mitsubishi
CyStack partner vntrip
CyStack partner Agribank
CyStack partner OpenEcommerce
CyStack partner OneMount
CyStack partner GHTK

Protect your system,

protect the future of your business