Highly professional team with solid professional skills, comfortable customer support and understanding of customer needs. We have had more positive experiences working with CyStack and can recommend them to those who want to improve their security.

Dmitriy Gerasimov

FOUNDER/CEO Cellframe

An effective approach to leverage the power of the security community

In the context of internet users increasingly imposing high standards on the products they use, businesses are inadvertently pushed into the race to develop products fast enough, good enough, and still be safe in the operation. The more frequently the software is updated, the more likely it is to have security flaws.

The solution to this problem is that developers must be faster than hackers in finding and fixing vulnerabilities in their products. An advanced approach here is to use crowdsourced security.

Broader Coverage

Crowdsourced security allows businesses to engage with a large number of security experts with diverse skills and expertise, which can help to identify vulnerabilities that may have been missed by internal security teams. Traditional security methods typically rely on a smaller group of in-house security experts

Risk Reduction

Crowdsourced security can provide a fresh perspective on security issues, as security experts from outside the organization may be able to identify vulnerabilities and attack vectors that internal teams may have overlooked

Cost-effective

Crowdsourced security can be a cost-effective alternative to traditional security methods, as it allows businesses to tap into a large pool of security experts at a fraction of the cost of hiring a full-time security team

Positive Reputation

By launching a crowdsourced security program, businesses can demonstrate their commitment to security, which can help to build trust and improve their reputation

Faster Detection and Response

Crowdsourced security can help businesses quickly detect and respond to security vulnerabilities, as security experts are able to identify and report vulnerabilities in a timely manner

How it works

Scope and rules

We work with the customer to define the scope of the bug bounty program, which typically includes the systems or software that are eligible for testing, as well as the types of vulnerabilities that are eligible for rewards. The rules of the program are also established, including the reward amounts, the submission process, and the timeline for receiving rewards.

Program launching

We launch the bug bounty program in WhiteHub, announce it to the public, and provide details about the scope of the program

Testing

Ethical hackers, also known as bug hunters from WhiteHub community, then try to find vulnerabilities in the defined systems or software. They can use a variety of techniques and tools to discover these vulnerabilities, including manual testing, automated scanning, and penetration testing.

Reporting

When a bug hunter finds a vulnerability, they report it to WhiteHub and provide detailed information about the vulnerability, including steps to reproduce it and any potential impacts or risks it poses.

Validation

We will verify the reported vulnerability to determine if it is a genuine security issue and if it meets the eligibility criteria for a reward.

Reward

If the reported vulnerability is valid and eligible for a reward, the bug hunter receives a payout according to the reward structure established in the program. The reward amount can vary depending on the severity of the vulnerability, the impact it could have on the company or its customers, and the level of effort required to discover it.

Fixing

The customer then fixes the vulnerability and may reach out to the bug hunter for additional information or assistance in verifying that the fix is effective.

Public disclosure

Once the vulnerability is fixed, the customer may publicly disclose the issue and credit the bug hunter for their contribution to the security of their systems.

Our Approaches

	Vulnerability Disclosure Program	Managed Bug Bounty

Suitable for	Businesses that have an in-house security team who can manage a bug bounty program	Businesses that don't have an in-house security team or have one but don't want to spend more human resources on bug bounty managing
Vulnerabilities Triaged by Who will discuss with the reporters and verify the submission	The Client	The WhiteHub Team
Branded Domain The program is hosted at a domain/subdomain of the client, not the WhiteHub domain	No	Yes
Number of Programs The maximum number of programs a customer can launch	Up to 2	Up to 4
Program Visible to Who can see and join the program	Everyone	Everyone, or only invited researchers
Program Policy Built by How the program policy is built	The Client, based on the basic policy	The Client, with consults from the WhiteHub team
Promoted via Channels used to promote the programs	Free channels (social networks, chat groups, etc)	Both free and paid channels (advertising, newspapers, etc)
Pre-Assessment WhiteHub team will perform security tests before launching the program	No	Vulnerability assessment and penetration testing
Support Channels The channel to get support from the WhiteHub team	Ticket, chat	Ticket, chat, phone, and prioritized support
Researchers Selected Based on Rules to select security researchers for the program	No specific criteria	Skillset, reputation points, certificates, NDA
Triage Analysts Rules to assign a triage analyst to work on a new finding	Predetermined	Predetermined, Random, or Round-robin

Manage your cyber risks in a security platform

Get an overview of your security posture just on one screen

Discover automatically new vulnerabilities and attack surfaces

Collaborate effortlessly with your team, CXOs, and our security experts

Get all details of each vulnerability (descriptions, steps to reproduce) and comprehensive, actionable guidelines to resolve it.

Comment and discuss directly on each finding, avoiding endless phone calls and emails

Prioritize the most effective solutions based on ROI and optimize your developers' time

Speed up the security testing process with a streamlined approach

Integrate findings into your productivity tools (Slack, Jira, Trello)

Compliance-driven penetration test

CyStack's pentest provides comprehensive testing that encompasses all the essential requirements necessary to attain compliance with ISO 27001, HIPAA, SOC2, GDPR standards, and other frameworks.

Workflow

Initial consultation

The customer and WhiteHub team will have an initial consultation to discuss the customer’s security objectives, the scope of the program, and the types of vulnerabilities that will be in scope.

Program setup

The WhiteHub team will work with the customer to set up the program, which includes creating a customized submission form and workflow, setting up the reward system, and configuring the program’s scope.

Program operation

Once the program is set up, WhiteHub will launch the program and invite security researchers to participate via our promotional campaigns, and then we wait for submissions and work on them.

Reporting and analytics

WhiteHub provides comprehensive reporting and analytics, providing organizations with detailed insights into the effectiveness of their big bounty program.

Ongoing support

WhiteHub offers ongoing support and guidance to ensure the smooth operation of the bug bounty program.

Ongoing support

WhiteHub offers ongoing support and guidance to ensure the smooth operation of the bug bounty program.

Reporting and analytics

WhiteHub provides comprehensive reporting and analytics, providing organizations with detailed insights into the effectiveness of their big bounty program.